├── .circleci └── config.yml ├── .gitattributes ├── .gitignore ├── .gitlab-ci.yml.deprecated ├── Attest-fde.md ├── Autoboot-fde.md ├── BOOTMAGIC.md ├── COPYING ├── FAQ.md ├── FEATURES.md ├── Handle-FB.md ├── Howtobuild.md ├── Makefile ├── README.md ├── bin ├── cpio-clean ├── grub-wrap └── verity-sign ├── blobs ├── dev.cpio ├── librem_kbl │ ├── get_blobs.sh │ └── readme.md ├── librem_skl │ ├── get_blobs.sh │ └── readme.md ├── t420 │ ├── extract.sh │ ├── layout.txt │ └── readme.md ├── x220 │ ├── .gitignore │ ├── extract.sh │ ├── layout.txt │ └── readme.md ├── xx20 │ ├── download_parse_me.sh │ ├── gbe.bin │ ├── hashes.txt │ ├── ifd.bin │ ├── layout.txt │ ├── me7_update_parser.py │ └── readme.md └── xx30 │ ├── README │ ├── download_clean_me.sh │ ├── extract.sh │ ├── gbe.bin │ ├── hashes.txt │ └── ifd.bin ├── boards ├── kgpe-d16_server-whiptail │ └── kgpe-d16_server-whiptail.config ├── kgpe-d16_server │ └── kgpe-d16_server.config ├── kgpe-d16_workstation-usb_keyboard │ └── kgpe-d16_workstation-usb_keyboard.config ├── kgpe-d16_workstation │ └── kgpe-d16_workstation.config ├── leopard │ └── leopard.config ├── librem_13v2 │ └── librem_13v2.config ├── librem_13v4 │ └── librem_13v4.config ├── librem_15v3 │ └── librem_15v3.config ├── librem_15v4 │ └── librem_15v4.config ├── librem_l1um │ └── librem_l1um.config ├── librem_mini │ └── librem_mini.config ├── librem_mini_v2 │ └── librem_mini_v2.config ├── qemu-coreboot-fbwhiptail │ └── qemu-coreboot-fbwhiptail.config ├── qemu-coreboot │ └── qemu-coreboot.config ├── qemu-hvault-basic │ └── qemu-hvault-basic.config ├── qemu-hvault-generic │ └── qemu-hvault-generic.config ├── qemu-hvault-legacy │ └── qemu-hvault-legacy.config ├── qemu-hvault-tpm2-attest │ └── qemu-hvault-tpm2-attest.config ├── qemu-hvault-tpm2-nobootsig │ └── qemu-hvault-tpm2-nobootsig.config ├── qemu-hvault-tpm2 │ └── qemu-hvault-tpm2.config ├── qemu-linuxboot │ └── qemu-linuxboot.config ├── r630 │ └── r630.config ├── rpi4-hvault-tpm2-attest │ └── rpi4-hvault-tpm2-attest.config ├── rpi4-hvault-tpm2 │ └── rpi4-hvault-tpm2.config ├── s2600wf │ └── s2600wf.config ├── supermicro-x11ssh-f │ └── supermicro-x11ssh-f.config ├── supermicro-x11ssh-tf │ └── supermicro-x11ssh-tf.config ├── t420-hotp-maximized │ └── t420-hotp-maximized.config ├── t420-maximized │ └── t420-maximized.config ├── t420 │ └── t420.config ├── t430-flash │ └── t430-flash.config ├── t430-hotp-maximized │ └── t430-hotp-maximized.config ├── t430-maximized │ └── t430-maximized.config ├── t430 │ └── t430.config ├── tioga │ └── tioga.config ├── winterfell │ ├── uinit.go │ └── winterfell.config ├── x220-hotp-maximized │ └── x220-hotp-maximized.config ├── x220-maximized │ └── x220-maximized.config ├── x220 │ └── x220.config ├── x230-flash │ └── x230-flash.config ├── x230-hotp-maximized │ └── x230-hotp-maximized.config ├── x230-hotp-verification │ └── x230-hotp-verification.config ├── x230-maximized │ └── x230-maximized.config └── x230 │ └── x230.config ├── build └── .gitignore ├── config ├── busybox.config ├── coreboot-kgpe-d16_server-whiptail.config ├── coreboot-kgpe-d16_server.config ├── coreboot-kgpe-d16_workstation-usb_keyboard.config ├── coreboot-kgpe-d16_workstation.config ├── coreboot-librem_13v2.config ├── coreboot-librem_13v4.config ├── coreboot-librem_15v3.config ├── coreboot-librem_15v4.config ├── coreboot-librem_l1um.config ├── coreboot-librem_mini.config ├── coreboot-librem_mini_v2.config ├── coreboot-qemu-fbwhiptail.config ├── coreboot-qemu-hvault-tpm2.config ├── coreboot-qemu-hvault.config ├── coreboot-qemu.config ├── coreboot-supermicro-x11ssh-f.config ├── coreboot-supermicro-x11ssh.config ├── coreboot-t420-hotp-maximized.config ├── coreboot-t420-maximized.config ├── coreboot-t420.config ├── coreboot-t430-flash.config ├── coreboot-t430-hotp-maximized.config ├── coreboot-t430-maximized.config ├── coreboot-t430.config ├── coreboot-x220-hotp-maximized.config ├── coreboot-x220-maximized.config ├── coreboot-x220.config ├── coreboot-x230-flash.config ├── coreboot-x230-hotp-maximized.config ├── coreboot-x230-hotp-verification.config ├── coreboot-x230-maximized.config ├── coreboot-x230.config ├── hvault-common.config ├── hvault-rpi4-aarch64.config ├── linux-kgpe-d16_server-whiptail.config ├── linux-kgpe-d16_server.config ├── linux-kgpe-d16_workstation.config ├── linux-librem_common.config ├── linux-linuxboot.config ├── linux-qemu.config ├── linux-x230-flash.config └── linux-x230.config ├── initrd ├── .ash_history ├── .gnupg │ ├── gpg-agent.conf │ └── gpg.conf ├── bin │ ├── autoboot-init │ ├── cbfs-init │ ├── config-gui.sh │ ├── flash-gui.sh │ ├── flash.sh │ ├── flashrom-kgpe-d16-openbmc.sh │ ├── generic-init │ ├── gpg-gui.sh │ ├── gpgv │ ├── gui-init │ ├── halt │ ├── iommu_audit.sh │ ├── kexec-attest │ ├── kexec-boot │ ├── kexec-insert-key │ ├── kexec-iso-init │ ├── kexec-parse-bls │ ├── kexec-parse-boot │ ├── kexec-save-default │ ├── kexec-save-key │ ├── kexec-seal-key │ ├── kexec-select-boot │ ├── kexec-sign-config │ ├── kexec-unseal-key │ ├── key-init │ ├── media-scan │ ├── mount-sata │ ├── mount-usb │ ├── network-init-recovery │ ├── oem-factory-reset │ ├── poweroff │ ├── qubes-measure-luks │ ├── reboot │ ├── seal-hotpkey │ ├── seal-totp │ ├── t430-flash.init │ ├── tpm-reset │ ├── tpmr │ ├── uefi-init │ ├── unseal-hotp │ ├── unseal-totp │ ├── usb-init │ ├── wget-measure.sh │ └── x230-flash.init ├── etc │ ├── distro │ │ └── keys │ │ │ ├── archlinux.key │ │ │ ├── qubes-4.key │ │ │ ├── qubes-testing.key │ │ │ └── tails.key │ ├── fstab │ ├── functions │ ├── group │ ├── gui_functions │ ├── hosts │ ├── luks-functions │ ├── motd │ ├── mtab │ ├── passwd │ └── shells ├── init ├── mount-boot ├── run │ └── cryptsetup │ │ └── .placeholder └── sbin │ ├── config-dhcp.sh │ └── insmod ├── install └── .gitignore ├── modules ├── attest-tools ├── bash ├── busybox ├── cairo ├── coreboot ├── coreboot-blobs ├── cryptsetup ├── cryptsetup2 ├── curl ├── dropbear ├── fbwhiptail ├── flashrom ├── flashtools ├── frotz ├── gawk ├── gpg ├── gpg2 ├── hidapi ├── hotp-verification ├── io386 ├── ioport ├── json-c ├── kexec ├── libaio ├── libassuan ├── libgcrypt ├── libgpg-error ├── libhidapi-libusb ├── libksba ├── libnitrokey ├── libpng ├── libusb ├── libusb-compat ├── linux ├── linuxboot ├── lvm2 ├── make ├── mbedtls ├── msrtools ├── musl-cross ├── newt ├── nkstorecli ├── npth ├── openssl ├── pciutils ├── pinentry ├── pixman ├── popt ├── powerpc-utils ├── purism-blobs ├── qrencode ├── slang ├── tpm2-tools ├── tpm2-tss ├── tpmtotp ├── u-root ├── util-linux ├── vim-xxd └── zlib ├── packages └── .gitignore └── patches ├── attest-tools.patch ├── busybox-1.32.0.patch ├── busybox-1.33.2.patch ├── coreboot-4.11 ├── 0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch ├── 0001-Add-Heads-TPM-measured-boot-support.patch ├── 0002-soc-intel-broadwell_de-Add-measured-boot-support.patch ├── 0003-drivers-generic-cbfs-serial-Add-driver-to-read-seria.patch ├── 0004-mb-purism-librem_l1um-Add-new-board.patch ├── 0020-kgpe-d16_measured-boot-support.patch ├── 0021-kgpe-d16_c-environment_bootblock.patch └── 0080-util-crossgcc-builgcc_temp_fix_from_https_to_http.patch ├── coreboot-4.13 ├── 0001-soc-cannonlake-me.c-Always-print-ME-status.patch └── 0080-util-crossgcc-builgcc_temp_fix_from_https_to_http.patch ├── coreboot-4.8.1 ├── 0000-measuredboot.patch ├── 0001-mb-purism-librem_skl-add-support-for-13v4-15v4-board.patch ├── 0002-arch-x86-acpi-Add-DMAR-RMRR-helper-functions.patch ├── 0003-soc-intel-skylake-Generate-ACPI-RMRR-table.patch ├── 0007-intel-fsp-fsp2_0-Fix-FSP-2.0-headers-to-match-github.patch ├── 0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch ├── 0020-kgpe-d16.patch ├── 0030-sandybridge.patch ├── 0050-buildgcc-Do-not-try-to-install-GCC-if-build-failed.patch ├── 0051-buildgcc-Update-IASL-to-20180531.patch ├── 0052-crossgcc-Update-to-clang-6.0-cmake-3.11.3.patch ├── 0053-src-Get-rid-of-unneeded-whitespace.patch ├── 0054-util-crossgcc-Allow-building-a-new-gcc-against-new-b.patch ├── 0055-crosgcc-patches-Add-make-patch-for-GLIBC-glob-interf.patch ├── 0056-util-crossgcc-update-to-gcc-8.1.0-and-binutils-2.30.patch ├── 0057-util-crosgcc-patches-update-make-4.2.1-patches.patch ├── 0058-util-crosgcc-Fix-most-shellcheck-errors-in-buildgcc.patch ├── 0059-util-Add-description.md-to-each-util.patch ├── 0060-enable-tpm-on-t430.patch ├── 0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch └── 0080-util-crossgcc-builgcc_temp_fix_from_https_to_http.patch ├── coreboot └── 0001-x11.patch ├── cryptsetup-1.7.3.patch ├── cryptsetup2-2.6.1.patch ├── dropbear-2016.74.patch ├── flashrom-1.5.1 ├── 0001-Revert-Remove-the-Makefile.patch └── 0002-cross-pkg-config.patch ├── flashrom-b1f858f65b2abd276542650d8cb9e382da258967 └── 0100-enable-kgpe-d16.patch ├── gpg-1.4.21.patch ├── gpg2-2.2.10.patch ├── gpg2-2.4.2.patch ├── kexec-2.0.22.patch ├── libassuan-2.5.1.patch ├── libassuan-2.5.6.patch ├── libgcrypt-1.10.2.patch ├── libgcrypt-1.8.6.patch ├── libgpg-error-1.47.patch ├── libksba-1.3.5.patch ├── libksba-1.6.4.patch ├── linux-1.20220331 └── 0000-Add-cpu-hotplug-for-device-tree-parking-method.patch ├── linux-4.14.62 ├── 0000-efi_bds.patch ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch ├── 0010-winterfell-ahci.patch ├── 0138-hv-mei.patch └── 0139-hv-untrusted_pci_ats-info.patch ├── linux-4.19.139 ├── 0000-efi_bds.patch ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch └── 0010-winterfell-ahci.patch ├── linux-5.10.214 ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch ├── 0010-winterfell-ahci.patch └── shebangs.patch ├── linux-5.10.5 ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch └── 0010-winterfell-ahci.patch ├── linux-5.15.45 ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch └── 0010-winterfell-ahci.patch ├── linux-5.4.68 ├── 0000-efi_bds.patch ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch └── 0010-winterfell-ahci.patch ├── linux-5.4.69 ├── 0000-efi_bds.patch ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch ├── 0003-fake-trampoline.patch └── 0010-winterfell-ahci.patch ├── linux-6.1.8 ├── 0001-fake-acpi.patch ├── 0002-nmi-squelch.patch └── 0010-winterfell-ahci.patch ├── lvm2-2.02.168.patch ├── lvm2-2.03.23.patch ├── make-4.2.1.patch ├── openssl-3.0.8.patch ├── pciutils-3.5.4.patch ├── powerpc-utils-1.3.5.patch ├── tpm2-tools-5.6.patch ├── tpm2-tss-3.2.2.patch └── util-linux-2.39.patch /.gitattributes: -------------------------------------------------------------------------------- 1 | *.config linguist-language=Makefile 2 | modules/* linguist-language=Makefile 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .*.sw* 2 | *.xz 3 | *.bz2 4 | *.gz 5 | *.sign 6 | *.rom 7 | *.o 8 | *.gz 9 | *.tgz 10 | *.img 11 | *.rom 12 | *.cpio 13 | typescript* 14 | config/*.old 15 | *.log 16 | *~ 17 | crossgcc 18 | clean 19 | *.map 20 | *.sec 21 | *.dep 22 | *.ffs 23 | *.vol 24 | *.lz 25 | *.fv 26 | *.bin 27 | *.bad 28 | -------------------------------------------------------------------------------- /bin/grub-wrap: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if ! which grub-mkimage > /dev/null; then 4 | echo "grub-mkimage(1) not available!" 5 | exit 1 6 | fi 7 | 8 | if ! [ -d /usr/lib/grub/i386-coreboot/ ]; then 9 | echo "grub-coreboot-bin not available!" 10 | exit 1 11 | fi 12 | 13 | TMPDIR=$(mktemp -d) 14 | VMLINUZ=${1} 15 | INITRD=${2} 16 | TARGET=${3} 17 | 18 | # put vmlinuz and initrd into the tar memdisk, as how 19 | # grub-mkstandalone does 20 | cp ${VMLINUZ} ${TMPDIR}/vmlinuz 21 | cp ${INITRD} ${TMPDIR}/initrd 22 | chmod 600 ${TMPDIR}/* 23 | tar -C ${TMPDIR} -chf ${TMPDIR}/memdisk.tar -H ustar --mtime='UTC 1970-01-01' \ 24 | --owner grub:1750 --group grub:1750 vmlinuz initrd 25 | 26 | # generate config script to launch the Linux payload 27 | cat > ${TMPDIR}/stub.cfg < -m (optional) -i (optional)" 5 | exit 0 6 | } 7 | 8 | BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 9 | 10 | if [ "$#" -eq 0 ]; then printusage; fi 11 | 12 | while getopts ":f:m:i:" opt; do 13 | case $opt in 14 | f) 15 | FILE="$OPTARG" 16 | ;; 17 | m) 18 | if [ -x "$OPTARG" ]; then 19 | MECLEAN="$OPTARG" 20 | fi 21 | ;; 22 | i) 23 | if [ -x "$OPTARG" ]; then 24 | IFDTOOL="$OPTARG" 25 | fi 26 | ;; 27 | esac 28 | done 29 | 30 | if [ -z "$MECLEAN" ]; then 31 | MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` 32 | if [ -z "$MECLEAN" ]; then 33 | echo "me_cleaner.py required but not found or specified with -m. Aborting." 34 | exit 1; 35 | fi 36 | fi 37 | 38 | if [ -z "$IFDTOOL" ]; then 39 | IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` 40 | if [ -z "$IFDTOOL" ]; then 41 | echo "ifdtool required but not found or specified with -m. Aborting." 42 | exit 1; 43 | fi 44 | fi 45 | 46 | echo "FILE: $FILE" 47 | echo "ME: $MECLEAN" 48 | echo "IFD: $IFDTOOL" 49 | 50 | bioscopy=$(mktemp) 51 | extractdir=$(mktemp -d) 52 | 53 | cp "$FILE" $bioscopy 54 | 55 | cd "$extractdir" 56 | $IFDTOOL -x $bioscopy 57 | cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" 58 | $MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" 59 | $IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy 60 | $IFDTOOL -x $bioscopy.new 61 | cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" 62 | 63 | rm "$bioscopy" 64 | rm "$bioscopy.new" 65 | rm -r "$extractdir" 66 | -------------------------------------------------------------------------------- /blobs/t420/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/t420/readme.md: -------------------------------------------------------------------------------- 1 | To build for T420, we need to have the following files in this folder: 2 | * `me.bin` - ME binary that has been stripped and truncated with me_cleaner 3 | * `gbe.bin` - Network card blob from the original firmware 4 | * `ifd.bin` - Flash layout file has been provided as text 5 | 6 | To get the binaries, start with a copy of the original Lenovo firmware image. 7 | If you do not have one already, you can read one out from the laptops SPI flash with flashrom 8 | 9 | ``` 10 | flashrom -p -r original.bin 11 | ``` 12 | 13 | Set `` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi). 14 | 15 | Once you have the image, the provided extraction script will extract the files needed. 16 | 17 | ``` 18 | ./extract.sh -f 19 | ``` 20 | 21 | Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically. 22 | 23 | The flash layout will be automatically adjusted and the ME image cleaned and truncated. 24 | 25 | You can now compile the image with: 26 | 27 | ``` 28 | make BOARD=t420 29 | ``` 30 | -------------------------------------------------------------------------------- /blobs/x220/.gitignore: -------------------------------------------------------------------------------- 1 | gbe.bin 2 | me.bin 3 | ifd.bin 4 | -------------------------------------------------------------------------------- /blobs/x220/extract.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | function printusage { 4 | echo "Usage: $0 -f -m (optional) -i (optional)" 5 | exit 0 6 | } 7 | 8 | BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 9 | 10 | if [ "$#" -eq 0 ]; then printusage; fi 11 | 12 | while getopts ":f:m:i:" opt; do 13 | case $opt in 14 | f) 15 | FILE="$OPTARG" 16 | ;; 17 | m) 18 | if [ -x "$OPTARG" ]; then 19 | MECLEAN="$OPTARG" 20 | fi 21 | ;; 22 | i) 23 | if [ -x "$OPTARG" ]; then 24 | IFDTOOL="$OPTARG" 25 | fi 26 | ;; 27 | esac 28 | done 29 | 30 | if [ -z "$MECLEAN" ]; then 31 | MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` 32 | if [ -z "$MECLEAN" ]; then 33 | echo "me_cleaner.py required but not found or specified with -m. Aborting." 34 | exit 1; 35 | fi 36 | fi 37 | 38 | if [ -z "$IFDTOOL" ]; then 39 | IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` 40 | if [ -z "$IFDTOOL" ]; then 41 | echo "ifdtool required but not found or specified with -m. Aborting." 42 | exit 1; 43 | fi 44 | fi 45 | 46 | echo "FILE: $FILE" 47 | echo "ME: $MECLEAN" 48 | echo "IFD: $IFDTOOL" 49 | 50 | bioscopy=$(mktemp) 51 | extractdir=$(mktemp -d) 52 | 53 | cp "$FILE" $bioscopy 54 | 55 | cd "$extractdir" 56 | $IFDTOOL -x $bioscopy 57 | cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" 58 | $MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" 59 | $IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy 60 | $IFDTOOL -x $bioscopy.new 61 | cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" 62 | 63 | rm "$bioscopy" 64 | rm "$bioscopy.new" 65 | rm -r "$extractdir" 66 | -------------------------------------------------------------------------------- /blobs/x220/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/x220/readme.md: -------------------------------------------------------------------------------- 1 | To build for X220 we need to have the following files in this folder: 2 | * `me.bin` - ME binary that has been stripped and truncated with me_cleaner 3 | * `gbe.bin` - Network card blob from the original firmware 4 | * `ifd.bin` - Flash layout file has been provided as text 5 | 6 | To get the binaries, start with a copy of the original Lenovo firmware image. 7 | If you do not have one already, you can read one out from the laptops SPI flash. 8 | 9 | ``` 10 | flashrom --programmer internal -r original.bin 11 | ``` 12 | 13 | Once you have the image, the provided extraction script will extract the files needed. 14 | 15 | ``` 16 | ./extract.sh -f 17 | ``` 18 | 19 | Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located 20 | automatically. 21 | 22 | The flash layout will be automatically adjusted and the ME image cleaned and truncated. 23 | 24 | You can now compile the image with: 25 | 26 | make BOARD=x220 27 | -------------------------------------------------------------------------------- /blobs/xx20/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hardenedvault/vaultboot/467f13795a77095ea4816076bfa8f0f4db888565/blobs/xx20/gbe.bin -------------------------------------------------------------------------------- /blobs/xx20/hashes.txt: -------------------------------------------------------------------------------- 1 | 9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin 2 | 907dfd580b4a680712bb4ee526f266c37a455196541d85702986532728f1eee9 ifd.bin 3 | 1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 me.bin 4 | -------------------------------------------------------------------------------- /blobs/xx20/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hardenedvault/vaultboot/467f13795a77095ea4816076bfa8f0f4db888565/blobs/xx20/ifd.bin -------------------------------------------------------------------------------- /blobs/xx20/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/xx30/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hardenedvault/vaultboot/467f13795a77095ea4816076bfa8f0f4db888565/blobs/xx30/gbe.bin -------------------------------------------------------------------------------- /blobs/xx30/hashes.txt: -------------------------------------------------------------------------------- 1 | 9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin 2 | c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin 3 | c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 me.bin 4 | -------------------------------------------------------------------------------- /blobs/xx30/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hardenedvault/vaultboot/467f13795a77095ea4816076bfa8f0f4db888565/blobs/xx30/ifd.bin -------------------------------------------------------------------------------- /boards/leopard/leopard.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Leopard OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/leopard.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | # If you want to build with the go-based u-root instead of Heads 8 | CONFIG_UROOT ?= n 9 | 10 | ifeq "$(CONFIG_UROOT)" "y" 11 | # The busybox will likely be redundant and can be trimmed for space. 12 | CONFIG_BUSYBOX=n 13 | CONFIG_ZLIB=n 14 | CONFIG_MUSL=n 15 | else 16 | # These don't fit if u-root is turned on 17 | #CONFIG_CRYPTSETUP=y 18 | #CONFIG_FLASHROM=y 19 | CONFIG_FLASHTOOLS=y 20 | #CONFIG_GPG=y 21 | CONFIG_KEXEC=y 22 | CONFIG_UTIL_LINUX=y 23 | #CONFIG_LVM2=y 24 | #CONFIG_MBEDTLS=y 25 | CONFIG_PCIUTILS=y 26 | #CONFIG_POPT=y 27 | #CONFIG_QRENCODE=y 28 | #CONFIG_TPMTOTP=y 29 | CONFIG_DROPBEAR=y 30 | endif 31 | 32 | # Linux modules will still be linked into the u-root tree 33 | CONFIG_LINUX_USB=y 34 | #CONFIG_LINUX_MLX4=y 35 | #CONFIG_LINUX_ATA=y 36 | #CONFIG_LINUX_AHCI=y 37 | #CONFIG_LINUX_E1000E=y 38 | #CONFIG_LINUX_NVME=y 39 | 40 | export CONFIG_BOOTSCRIPT=/bin/generic-init 41 | export CONFIG_TPM=n 42 | export CONFIG_BOOT_REQ_HASH=n 43 | export CONFIG_BOOT_REQ_ROLLBACK=n 44 | export CONFIG_BOOT_DEV="/dev/sda1" 45 | 46 | $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate 47 | 48 | -------------------------------------------------------------------------------- /boards/librem_13v2/librem_13v2.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem_13v2 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v2.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.8.1 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | #CONFIG_SLANG=y 23 | #CONFIG_NEWT=y 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | 30 | export CONFIG_TPM=y 31 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem 13 v2/v3" 39 | export CONFIG_FLASHROM_OPTIONS="-p internal" 40 | export CONFIG_AUTO_BOOT_TIMEOUT=5 41 | -------------------------------------------------------------------------------- /boards/librem_13v4/librem_13v4.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem_13v4 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v4.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.8.1 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | #CONFIG_SLANG=y 23 | #CONFIG_NEWT=y 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | 30 | export CONFIG_TPM=y 31 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem 13 v4" 39 | export CONFIG_FLASHROM_OPTIONS="-p internal" 40 | export CONFIG_AUTO_BOOT_TIMEOUT=5 41 | -------------------------------------------------------------------------------- /boards/librem_15v3/librem_15v3.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem_15v3 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v3.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.8.1 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | #CONFIG_SLANG=y 23 | #CONFIG_NEWT=y 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | 30 | export CONFIG_TPM=y 31 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem 15 v3" 39 | export CONFIG_FLASHROM_OPTIONS="-p internal" 40 | export CONFIG_AUTO_BOOT_TIMEOUT=5 41 | -------------------------------------------------------------------------------- /boards/librem_15v4/librem_15v4.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem_15v4 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v4.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.8.1 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | #CONFIG_SLANG=y 23 | #CONFIG_NEWT=y 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | 30 | export CONFIG_TPM=y 31 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem 15 v4" 39 | export CONFIG_FLASHROM_OPTIONS="-p internal" 40 | export CONFIG_AUTO_BOOT_TIMEOUT=5 41 | -------------------------------------------------------------------------------- /boards/librem_l1um/librem_l1um.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem_l1um 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.11 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | export CONFIG_PURISM_BLOBS=y 9 | 10 | CONFIG_CRYPTSETUP=y 11 | CONFIG_FLASHROM=y 12 | CONFIG_FLASHTOOLS=y 13 | CONFIG_GPG2=y 14 | CONFIG_KEXEC=y 15 | CONFIG_UTIL_LINUX=y 16 | CONFIG_LVM2=y 17 | CONFIG_MBEDTLS=y 18 | CONFIG_PCIUTILS=y 19 | CONFIG_POPT=y 20 | CONFIG_QRENCODE=y 21 | CONFIG_TPMTOTP=y 22 | 23 | CONFIG_CAIRO=y 24 | CONFIG_FBWHIPTAIL=y 25 | CONFIG_HOTPKEY=y 26 | 27 | CONFIG_LINUX_USB=y 28 | 29 | export CONFIG_TPM=y 30 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 31 | 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem Server L1UM" 39 | export CONFIG_AUTO_BOOT_TIMEOUT=5 40 | export CONFIG_FLASHROM_OPTIONS="-p internal" 41 | export CONFIG_USB_KEYBOARD=y 42 | -------------------------------------------------------------------------------- /boards/librem_mini/librem_mini.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem mini 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.13 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | export CONFIG_PURISM_BLOBS=y 9 | 10 | CONFIG_CRYPTSETUP=y 11 | CONFIG_FLASHROM=y 12 | CONFIG_FLASHTOOLS=y 13 | CONFIG_GPG2=y 14 | CONFIG_KEXEC=y 15 | CONFIG_UTIL_LINUX=y 16 | CONFIG_LVM2=y 17 | CONFIG_MBEDTLS=y 18 | CONFIG_PCIUTILS=y 19 | CONFIG_POPT=y 20 | CONFIG_QRENCODE=y 21 | CONFIG_TPMTOTP=y 22 | 23 | CONFIG_CAIRO=y 24 | CONFIG_FBWHIPTAIL=y 25 | CONFIG_HOTPKEY=y 26 | 27 | CONFIG_LINUX_USB=y 28 | 29 | export CONFIG_TPM=n 30 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 31 | 32 | export CONFIG_BOOTSCRIPT=/bin/gui-init 33 | export CONFIG_BOOT_REQ_HASH=n 34 | export CONFIG_BOOT_REQ_ROLLBACK=n 35 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 36 | export CONFIG_BOOT_KERNEL_REMOVE="" 37 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 38 | export CONFIG_BOARD_NAME="Librem Mini" 39 | export CONFIG_FLASHROM_OPTIONS="-p internal" 40 | export CONFIG_USB_KEYBOARD=y 41 | export CONFIG_AUTO_BOOT_TIMEOUT=5 42 | -------------------------------------------------------------------------------- /boards/librem_mini_v2/librem_mini_v2.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem mini v2 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini_v2.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=4.13 7 | export CONFIG_LINUX_VERSION=5.10.5 8 | export CONFIG_PURISM_BLOBS=y 9 | 10 | CONFIG_CRYPTSETUP=y 11 | CONFIG_FLASHROM=y 12 | CONFIG_FLASHTOOLS=y 13 | CONFIG_GPG2=y 14 | CONFIG_IOPORT=y 15 | CONFIG_KEXEC=y 16 | CONFIG_UTIL_LINUX=y 17 | CONFIG_LVM2=y 18 | CONFIG_MBEDTLS=y 19 | CONFIG_PCIUTILS=y 20 | CONFIG_POPT=y 21 | CONFIG_QRENCODE=y 22 | CONFIG_TPMTOTP=y 23 | 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | 30 | export CONFIG_TPM=n 31 | export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y 32 | 33 | export CONFIG_BOOTSCRIPT=/bin/gui-init 34 | export CONFIG_BOOT_REQ_HASH=n 35 | export CONFIG_BOOT_REQ_ROLLBACK=n 36 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 37 | export CONFIG_BOOT_KERNEL_REMOVE="" 38 | export CONFIG_BOOT_DEV="/dev/nvme0n1p1" 39 | export CONFIG_BOARD_NAME="Librem Mini v2" 40 | export CONFIG_FLASHROM_OPTIONS="-p internal" 41 | export CONFIG_USB_KEYBOARD=y 42 | export CONFIG_AUTO_BOOT_TIMEOUT=5 43 | -------------------------------------------------------------------------------- /boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config: -------------------------------------------------------------------------------- 1 | # Configuration for building a coreboot ROM that works in 2 | # the qemu emulator in GUI mode thanks to FBWhiptail 3 | 4 | export CONFIG_COREBOOT=y 5 | export CONFIG_COREBOOT_VERSION=4.8.1 6 | export CONFIG_LINUX_VERSION=4.14.62 7 | 8 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config 9 | CONFIG_LINUX_CONFIG=config/linux-qemu.config 10 | 11 | ifeq "$(CONFIG_UROOT)" "y" 12 | CONFIG_BUSYBOX=n 13 | else 14 | CONFIG_KEXEC=y 15 | CONFIG_QRENCODE=y 16 | CONFIG_TPMTOTP=y 17 | CONFIG_POPT=y 18 | CONFIG_FLASHTOOLS=y 19 | CONFIG_FLASHROM=y 20 | CONFIG_PCIUTILS=y 21 | CONFIG_UTIL_LINUX=y 22 | CONFIG_CRYPTSETUP=y 23 | CONFIG_GPG2=y 24 | CONFIG_LVM2=y 25 | CONFIG_MBEDTLS=y 26 | CONFIG_DROPBEAR=y 27 | CONFIG_MSRTOOLS=y 28 | 29 | #Required for graphical gui-init (FBWhiptail) 30 | CONFIG_CAIRO=y 31 | CONFIG_FBWHIPTAIL=y 32 | 33 | endif 34 | 35 | CONFIG_LINUX_ATA=y 36 | CONFIG_LINUX_AHCI=y 37 | CONFIG_LINUX_USB=y 38 | CONFIG_LINUX_E1000=y 39 | 40 | #Whiptail-based init (text-based or FBWhiptail) 41 | export CONFIG_BOOTSCRIPT=/bin/gui-init 42 | 43 | export CONFIG_TPM=n 44 | 45 | export CONFIG_BOOT_DEV="/dev/sda1" 46 | export CONFIG_BOARD_NAME="QEMU-fbwhiptail" 47 | 48 | #borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh 49 | run: 50 | qemu-system-x86_64 \ 51 | --machine q35 \ 52 | --bios $(build)/$(BOARD)/$(CB_OUTPUT_FILE) \ 53 | -object rng-random,filename=/dev/urandom,id=rng0 \ 54 | -device virtio-rng-pci,rng=rng0 \ 55 | -netdev user,id=u1 -device e1000,netdev=u1 \ 56 | -serial stdio \ 57 | ; stty sane 58 | -------------------------------------------------------------------------------- /boards/qemu-hvault-basic/qemu-hvault-basic.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic boards with conpanion usb controller and without tpm 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault-legacy.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | #CONFIG_GPG2=y 10 | CONFIG_KEXEC=y 11 | CONFIG_UTIL_LINUX=y 12 | CONFIG_LVM2=y 13 | CONFIG_PCIUTILS=y 14 | CONFIG_POPT=y 15 | CONFIG_DROPBEAR=y 16 | CONFIG_MSRTOOLS=y 17 | 18 | #CONFIG_CAIRO=y 19 | #CONFIG_FBWHIPTAIL=y 20 | 21 | # Serial console only, no graphics 22 | 23 | CONFIG_LINUX_USB=y 24 | CONFIG_LINUX_USB_COMPANION_CONTROLLER=y 25 | CONFIG_LINUX_E1000E=y 26 | CONFIG_LINUX_IGB=n 27 | 28 | CONFIG_LINUX_SCSI_GDTH=n 29 | CONFIG_LINUX_ATA=y 30 | CONFIG_LINUX_AHCI=y 31 | CONFIG_LINUX_NVME=y 32 | CONFIG_LINUX_MEI=n 33 | 34 | #export CONFIG_SIGN_BOOT_CONFIG=y 35 | export CONFIG_TPM=n 36 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 37 | export CONFIG_BOOT_REQ_HASH=n 38 | export CONFIG_BOOT_REQ_ROLLBACK=n 39 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 40 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 41 | export CONFIG_BOOT_DEV="LABEL=boot" 42 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 43 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 44 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 45 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 46 | -------------------------------------------------------------------------------- /boards/qemu-hvault-generic/qemu-hvault-generic.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | CONFIG_FLASHROM=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_GPG2=y 12 | CONFIG_KEXEC=y 13 | CONFIG_UTIL_LINUX=y 14 | CONFIG_LVM2=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_TPMTOTP=y 18 | CONFIG_DROPBEAR=y 19 | CONFIG_MSRTOOLS=y 20 | export CONFIG_IO386=y 21 | 22 | #CONFIG_CAIRO=y 23 | #CONFIG_FBWHIPTAIL=y 24 | 25 | # Serial console only, no graphics 26 | 27 | CONFIG_LINUX_USB=y 28 | CONFIG_LINUX_E1000E=y 29 | CONFIG_LINUX_IGB=n 30 | 31 | CONFIG_LINUX_SCSI_GDTH=n 32 | CONFIG_LINUX_ATA=y 33 | CONFIG_LINUX_AHCI=y 34 | CONFIG_LINUX_NVME=y 35 | CONFIG_LINUX_MEI=n 36 | 37 | CONFIG_LINUX_MMC=y 38 | 39 | export CONFIG_SIGN_BOOT_CONFIG=y 40 | export CONFIG_MEASURE_KERNEL=y 41 | export CONFIG_TPM=y 42 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 43 | export CONFIG_BOOT_REQ_HASH=n 44 | export CONFIG_BOOT_REQ_ROLLBACK=n 45 | export CONFIG_IGNORE_ROLLBACK=y 46 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 47 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 48 | export CONFIG_BOOT_DEV="LABEL=boot" 49 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 50 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 51 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 52 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 53 | -------------------------------------------------------------------------------- /boards/qemu-hvault-legacy/qemu-hvault-legacy.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic boards with conpanion usb controller and without tpm 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault-legacy.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | CONFIG_FLASHROM=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_GPG2=y 12 | CONFIG_KEXEC=y 13 | CONFIG_UTIL_LINUX=y 14 | CONFIG_LVM2=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_DROPBEAR=y 18 | CONFIG_MSRTOOLS=y 19 | export CONFIG_IO386=y 20 | 21 | #CONFIG_CAIRO=y 22 | #CONFIG_FBWHIPTAIL=y 23 | 24 | # Serial console only, no graphics 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_LINUX_USB_COMPANION_CONTROLLER=y 28 | CONFIG_LINUX_E1000E=y 29 | CONFIG_LINUX_IGB=n 30 | 31 | CONFIG_LINUX_SCSI_GDTH=n 32 | CONFIG_LINUX_ATA=y 33 | CONFIG_LINUX_AHCI=y 34 | CONFIG_LINUX_NVME=y 35 | CONFIG_LINUX_MEI=n 36 | 37 | CONFIG_LINUX_MMC=y 38 | CONFIG_LINUX_MMC_MINOR=y 39 | 40 | export CONFIG_SIGN_BOOT_CONFIG=y 41 | export CONFIG_TPM=n 42 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 43 | export CONFIG_BOOT_REQ_HASH=n 44 | export CONFIG_BOOT_REQ_ROLLBACK=n 45 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 46 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 47 | export CONFIG_BOOT_DEV="LABEL=boot" 48 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 49 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 50 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 51 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 52 | -------------------------------------------------------------------------------- /boards/qemu-hvault-tpm2-attest/qemu-hvault-tpm2-attest.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault-tpm2.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | CONFIG_FLASHROM=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_GPG2=y 12 | CONFIG_KEXEC=y 13 | CONFIG_UTIL_LINUX=y 14 | CONFIG_LVM2=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_TPMTOTP=y 18 | CONFIG_DROPBEAR=y 19 | CONFIG_MSRTOOLS=y 20 | export CONFIG_IO386=y 21 | export CONFIG_AUTO_UNLOCK=y 22 | 23 | export CONFIG_TPM2_TOOLS=y 24 | export CONFIG_PRIMARY_KEY_TYPE=ecc 25 | CONFIG_TPM2_TSS=y 26 | CONFIG_OPENSSL=y 27 | CONFIG_CURL=y 28 | export CONFIG_ATTEST_TOOLS=y 29 | CONFIG_BASH=y 30 | CONFIG_VIM_XXD=y 31 | 32 | #CONFIG_CAIRO=y 33 | #CONFIG_FBWHIPTAIL=y 34 | 35 | # Serial console only, no graphics 36 | 37 | CONFIG_LINUX_USB=y 38 | CONFIG_LINUX_E1000E=y 39 | CONFIG_LINUX_IGB=n 40 | 41 | CONFIG_LINUX_SCSI_GDTH=n 42 | CONFIG_LINUX_ATA=y 43 | CONFIG_LINUX_AHCI=y 44 | CONFIG_LINUX_NVME=y 45 | 46 | export CONFIG_SIGN_BOOT_CONFIG=y 47 | export CONFIG_MEASURE_KERNEL=y 48 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 49 | export CONFIG_USB_KEYBOARD=y 50 | export CONFIG_BOOT_REQ_HASH=n 51 | export CONFIG_BOOT_REQ_ROLLBACK=n 52 | export CONFIG_IGNORE_ROLLBACK=y 53 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 54 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 55 | export CONFIG_BOOT_DEV="LABEL=boot" 56 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 57 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 58 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 59 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 60 | -------------------------------------------------------------------------------- /boards/qemu-hvault-tpm2-nobootsig/qemu-hvault-tpm2-nobootsig.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault-tpm2.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | CONFIG_FLASHROM=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_GPG2=y 12 | CONFIG_KEXEC=y 13 | CONFIG_UTIL_LINUX=y 14 | CONFIG_LVM2=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_TPMTOTP=y 18 | CONFIG_DROPBEAR=y 19 | CONFIG_MSRTOOLS=y 20 | export CONFIG_IO386=y 21 | export CONFIG_AUTO_UNLOCK=y 22 | 23 | export CONFIG_TPM2_TOOLS=y 24 | export CONFIG_PRIMARY_KEY_TYPE=ecc 25 | CONFIG_TPM2_TSS=y 26 | CONFIG_OPENSSL=y 27 | 28 | #CONFIG_CAIRO=y 29 | #CONFIG_FBWHIPTAIL=y 30 | 31 | # Serial console only, no graphics 32 | 33 | CONFIG_LINUX_USB=y 34 | CONFIG_LINUX_E1000E=y 35 | CONFIG_LINUX_IGB=n 36 | 37 | CONFIG_LINUX_SCSI_GDTH=n 38 | CONFIG_LINUX_ATA=y 39 | CONFIG_LINUX_AHCI=y 40 | CONFIG_LINUX_NVME=y 41 | CONFIG_LINUX_MEI=n 42 | 43 | CONFIG_LINUX_MMC=y 44 | CONFIG_LINUX_MMC_MINOR=y 45 | 46 | #export CONFIG_SIGN_BOOT_CONFIG=y 47 | export CONFIG_MEASURE_KERNEL=y 48 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 49 | export CONFIG_USB_KEYBOARD=y 50 | export CONFIG_BOOT_REQ_HASH=n 51 | #export CONFIG_BOOT_REQ_ROLLBACK=n 52 | export CONFIG_IGNORE_ROLLBACK=y 53 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 54 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 55 | export CONFIG_BOOT_DEV="LABEL=boot" 56 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 57 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 58 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 59 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 60 | -------------------------------------------------------------------------------- /boards/qemu-hvault-tpm2/qemu-hvault-tpm2.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | export CONFIG_COREBOOT=y 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-hvault-tpm2.config 4 | CONFIG_LINUX_CONFIG=config/hvault-common.config 5 | export CONFIG_COREBOOT_VERSION=git 6 | export CONFIG_LINUX_VERSION=6.1.8 7 | 8 | CONFIG_CRYPTSETUP2=y 9 | CONFIG_FLASHROM=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_GPG2=y 12 | CONFIG_KEXEC=y 13 | CONFIG_UTIL_LINUX=y 14 | CONFIG_LVM2=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_TPMTOTP=y 18 | CONFIG_DROPBEAR=y 19 | CONFIG_MSRTOOLS=y 20 | export CONFIG_IO386=y 21 | export CONFIG_AUTO_UNLOCK=y 22 | 23 | export CONFIG_TPM2_TOOLS=y 24 | export CONFIG_PRIMARY_KEY_TYPE=ecc 25 | CONFIG_TPM2_TSS=y 26 | CONFIG_OPENSSL=y 27 | 28 | #CONFIG_CAIRO=y 29 | #CONFIG_FBWHIPTAIL=y 30 | 31 | # Serial console only, no graphics 32 | 33 | CONFIG_LINUX_USB=y 34 | CONFIG_LINUX_E1000E=y 35 | CONFIG_LINUX_IGB=n 36 | 37 | CONFIG_LINUX_SCSI_GDTH=n 38 | CONFIG_LINUX_ATA=y 39 | CONFIG_LINUX_AHCI=y 40 | CONFIG_LINUX_NVME=y 41 | CONFIG_LINUX_MEI=n 42 | 43 | CONFIG_LINUX_MMC=y 44 | CONFIG_LINUX_MMC_MINOR=y 45 | 46 | export CONFIG_SIGN_BOOT_CONFIG=y 47 | export CONFIG_MEASURE_KERNEL=y 48 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 49 | export CONFIG_USB_KEYBOARD=y 50 | export CONFIG_BOOT_REQ_HASH=n 51 | export CONFIG_BOOT_REQ_ROLLBACK=n 52 | export CONFIG_IGNORE_ROLLBACK=y 53 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 54 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 55 | export CONFIG_BOOT_DEV="LABEL=boot" 56 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 57 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 58 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 59 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 60 | -------------------------------------------------------------------------------- /boards/qemu-linuxboot/qemu-linuxboot.config: -------------------------------------------------------------------------------- 1 | # Configuration for emulating LinuxBoot+Heads with qemu 2 | # 3 | export CONFIG_LINUXBOOT=y 4 | export CONFIG_LINUX_VERSION=4.14.62 5 | 6 | CONFIG_LINUXBOOT_BOARD=qemu 7 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 8 | 9 | ifeq "$(CONFIG_UROOT)" "y" 10 | CONFIG_BUSYBOX=n 11 | else 12 | CONFIG_CRYPTSETUP=y 13 | CONFIG_LVM2=y 14 | CONFIG_MBEDTLS=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_QRENCODE=y 18 | CONFIG_TPMTOTP=y 19 | endif 20 | 21 | CONFIG_FLASHROM=y 22 | CONFIG_FLASHTOOLS=y 23 | CONFIG_GPG2=y 24 | CONFIG_KEXEC=y 25 | CONFIG_UTIL_LINUX=y 26 | CONFIG_DROPBEAR=y 27 | #CONFIG_FROTZ=y 28 | 29 | CONFIG_LINUX_USB=y 30 | CONFIG_LINUX_E1000=y 31 | CONFIG_LINUX_SCSI_GDTH=y 32 | CONFIG_LINUX_ATA=y 33 | CONFIG_LINUX_AHCI=y 34 | 35 | export CONFIG_BOOTSCRIPT=/bin/generic-init 36 | export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery 37 | 38 | export CONFIG_BOOT_REQ_HASH=n 39 | export CONFIG_BOOT_REQ_ROLLBACK=n 40 | export CONFIG_BOOT_DEV="/dev/sda1" 41 | export CONFIG_BOOT_STATIC_IP=10.0.2.15 42 | 43 | # You can ssh into the qemu instance by running 44 | # ssh -p 5555 root@localhost 45 | # The LinuxBoot firmware should set its ip address to 10.0.2.15 46 | # or run udhcpc to get a qemu address 47 | 48 | run: 49 | qemu-system-x86_64 \ 50 | -machine q35,smm=on \ 51 | -global ICH9-LPC.disable_s3=1 \ 52 | -global driver=cfi.pflash01,property=secure,value=on \ 53 | -redir tcp:5555::22 \ 54 | --serial $(or $(SERIAL),/dev/tty) \ 55 | -drive if=pflash,format=raw,unit=0,file=$(build)/$(BOARD)/linuxboot.rom 56 | stty sane 57 | 58 | -------------------------------------------------------------------------------- /boards/r630/r630.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Dell R630 2 | # flashrom doesn't work on this mainboard 3 | # and it is NERF, not coreboot. 4 | CONFIG_LINUXBOOT=y 5 | CONFIG_LINUXBOOT_ROM=blobs/r630-1.3.6.rom 6 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 7 | 8 | export CONFIG_LINUX_VERSION=4.14.62 9 | 10 | #CONFIG_CRYPTSETUP=y 11 | CONFIG_FLASHROM=y 12 | #CONFIG_GPG=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | #CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | 23 | CONFIG_LINUX_USB=y 24 | CONFIG_LINUX_IGB=y 25 | CONFIG_LINUX_MEGARAID=y 26 | CONFIG_LINUX_E1000E=y 27 | 28 | export CONFIG_BOOTSCRIPT=/bin/generic-init 29 | 30 | export CONFIG_BOOT_REQ_HASH=n 31 | export CONFIG_BOOT_REQ_ROLLBACK=n 32 | export CONFIG_BOOT_DEV="/dev/sda1" 33 | -------------------------------------------------------------------------------- /boards/rpi4-hvault-tpm2-attest/rpi4-hvault-tpm2-attest.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | CONFIG_LINUX_CONFIG=config/hvault-rpi4-aarch64.config 3 | export CONFIG_LINUX_VERSION=1.20220331 4 | 5 | CONFIG_CRYPTSETUP2=y 6 | CONFIG_GPG=y 7 | CONFIG_KEXEC=y 8 | CONFIG_UTIL_LINUX=y 9 | CONFIG_LVM2=y 10 | CONFIG_MBEDTLS=y 11 | CONFIG_POPT=y 12 | CONFIG_QRENCODE=y 13 | CONFIG_TPMTOTP=y 14 | CONFIG_DROPBEAR=y 15 | export CONFIG_AUTO_UNLOCK=y 16 | 17 | export CONFIG_TPM2_TOOLS=y 18 | export CONFIG_PRIMARY_KEY_TYPE=ecc 19 | CONFIG_TPM2_TSS=y 20 | CONFIG_OPENSSL=y 21 | 22 | CONFIG_CURL=y 23 | CONFIG_BASH=y 24 | CONFIG_VIM_XXD=y 25 | export CONFIG_ATTEST_TOOLS=y 26 | 27 | #CONFIG_CAIRO=y 28 | #CONFIG_FBWHIPTAIL=y 29 | 30 | # Serial console only, no graphics 31 | 32 | CONFIG_LINUX_USB=y 33 | 34 | # rpi4 has no SCSI, (S)ATA, nor NVME 35 | CONFIG_LINUX_SCSI_GDTH=n 36 | CONFIG_LINUX_ATA=n 37 | CONFIG_LINUX_AHCI=n 38 | CONFIG_LINUX_NVME=n 39 | 40 | # rpi4 has no RTC 41 | export CONFIG_NO_RTC=y 42 | 43 | # MMC drivers are all statically linked to kernel 44 | CONFIG_LINUX_MMC=n 45 | CONFIG_LINUX_MMC_MINOR=n 46 | CONFIG_LINUX_MMC_AARCH64=n 47 | 48 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 49 | export CONFIG_BOOT_REQ_HASH=n 50 | export CONFIG_BOOT_REQ_ROLLBACK=n 51 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 52 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 53 | export CONFIG_LDR_DEV="LABEL=LDR" 54 | export CONFIG_BOOT_DEV="LABEL=writable" 55 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 56 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 57 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 58 | -------------------------------------------------------------------------------- /boards/rpi4-hvault-tpm2/rpi4-hvault-tpm2.config: -------------------------------------------------------------------------------- 1 | # Configuration for generic target with e1000e NIC 2 | CONFIG_LINUX_CONFIG=config/hvault-rpi4-aarch64.config 3 | export CONFIG_LINUX_VERSION=1.20220331 4 | 5 | CONFIG_CRYPTSETUP2=y 6 | CONFIG_GPG=y 7 | CONFIG_KEXEC=y 8 | CONFIG_UTIL_LINUX=y 9 | CONFIG_LVM2=y 10 | CONFIG_MBEDTLS=y 11 | CONFIG_POPT=y 12 | CONFIG_QRENCODE=y 13 | CONFIG_TPMTOTP=y 14 | CONFIG_DROPBEAR=y 15 | export CONFIG_AUTO_UNLOCK=y 16 | 17 | export CONFIG_TPM2_TOOLS=y 18 | export CONFIG_PRIMARY_KEY_TYPE=ecc 19 | CONFIG_TPM2_TSS=y 20 | CONFIG_OPENSSL=y 21 | 22 | #CONFIG_CAIRO=y 23 | #CONFIG_FBWHIPTAIL=y 24 | 25 | # Serial console only, no graphics 26 | 27 | CONFIG_LINUX_USB=y 28 | 29 | # rpi4 has no SCSI, (S)ATA, nor NVME 30 | CONFIG_LINUX_SCSI_GDTH=n 31 | CONFIG_LINUX_ATA=n 32 | CONFIG_LINUX_AHCI=n 33 | CONFIG_LINUX_NVME=n 34 | 35 | # rpi4 has no RTC 36 | export CONFIG_NO_RTC=y 37 | 38 | # MMC drivers are all statically linked to kernel 39 | CONFIG_LINUX_MMC=n 40 | CONFIG_LINUX_MMC_MINOR=n 41 | CONFIG_LINUX_MMC_AARCH64=n 42 | 43 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 44 | export CONFIG_BOOT_REQ_HASH=n 45 | export CONFIG_BOOT_REQ_ROLLBACK=n 46 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 47 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 48 | export CONFIG_LDR_DEV="LABEL=LDR" 49 | export CONFIG_BOOT_DEV="LABEL=writable" 50 | export CONFIG_USB_BOOT_DEV="/dev/sdc1" 51 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 52 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 53 | -------------------------------------------------------------------------------- /boards/s2600wf/s2600wf.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Intel S2600wf server mainboard 2 | # and it is NERF, not coreboot. 3 | # 4 | # Booting with UEFI in recovery (0xFEC00000) potentially 5 | # gives us 7 MB of # space for Heads and NERF. However, 6 | # there appears to be a bug if the fvh spans a 4 MB 7 | # region. 8 | # 9 | # The DxeCore also needs to be updated to know about the 10 | # new firmware volume location. 11 | # 12 | CONFIG_LINUXBOOT=y 13 | CONFIG_LINUXBOOT_ROM=blobs/s2600wf.rom 14 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 15 | 16 | export CONFIG_LINUX_VERSION=4.14.62 17 | 18 | #CONFIG_CRYPTSETUP=y 19 | #CONFIG_FLASHROM=y 20 | CONFIG_FLASHTOOLS=y 21 | CONFIG_GPG=y 22 | CONFIG_KEXEC=y 23 | CONFIG_UTIL_LINUX=y 24 | #CONFIG_LVM2=y 25 | #CONFIG_MBEDTLS=y 26 | CONFIG_PCIUTILS=y 27 | #CONFIG_POPT=y 28 | #CONFIG_QRENCODE=y 29 | #CONFIG_TPMTOTP=y 30 | CONFIG_DROPBEAR=y 31 | 32 | CONFIG_LINUX_USB=y 33 | #CONFIG_LINUX_IGB=y 34 | #CONFIG_LINUX_MEGARAID=y 35 | #CONFIG_LINUX_E1000E=y 36 | CONFIG_LINUX_SCSI_GDTH=y 37 | CONFIG_LINUX_ATA=y 38 | CONFIG_LINUX_AHCI=y 39 | 40 | export CONFIG_TPM=n 41 | export CONFIG_BOOTSCRIPT=/bin/generic-init 42 | export CONFIG_BOOT_REQ_HASH=n 43 | export CONFIG_BOOT_REQ_ROLLBACK=n 44 | export CONFIG_BOOT_DEV="/dev/sda1" 45 | -------------------------------------------------------------------------------- /boards/supermicro-x11ssh-f/supermicro-x11ssh-f.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Supermicro X11SSH-T / -TF server 2 | # It has an AST2400 BMC for vga output; the built in i915 is not accessible 3 | export CONFIG_COREBOOT=y 4 | export CONFIG_COREBOOT_VERSION=git 5 | CONFIG_COREBOOT_CONFIG=config/coreboot-supermicro-x11ssh-f.config 6 | CONFIG_LINUX_CONFIG=config/hvault-common.config 7 | export CONFIG_LINUX_VERSION=5.4.68 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | CONFIG_MSRTOOLS=y 23 | export CONFIG_IO386=y 24 | export CONFIG_USB_KEYBOARD=y 25 | 26 | #CONFIG_CAIRO=y 27 | #CONFIG_FBWHIPTAIL=y 28 | 29 | # Serial console only, no graphics 30 | 31 | CONFIG_LINUX_USB=y 32 | CONFIG_LINUX_IGB=y 33 | 34 | CONFIG_LINUX_SCSI_GDTH=y 35 | CONFIG_LINUX_ATA=y 36 | CONFIG_LINUX_AHCI=y 37 | CONFIG_LINUX_NVME=y 38 | CONFIG_LINUX_MEI=y 39 | 40 | 41 | export CONFIG_TPM=y 42 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 43 | export CONFIG_BOOT_REQ_HASH=n 44 | export CONFIG_BOOT_REQ_ROLLBACK=n 45 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 46 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 47 | export CONFIG_BOOT_DEV="LABEL=boot" 48 | export CONFIG_USB_BOOT_DEV="/dev/sdb1" 49 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 50 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 51 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 52 | -------------------------------------------------------------------------------- /boards/supermicro-x11ssh-tf/supermicro-x11ssh-tf.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Supermicro X11SSH-T / -TF server 2 | # It has an AST2400 BMC for vga output; the built in i915 is not accessible 3 | export CONFIG_COREBOOT=y 4 | export CONFIG_COREBOOT_VERSION=git 5 | CONFIG_COREBOOT_CONFIG=config/coreboot-supermicro-x11ssh.config 6 | CONFIG_LINUX_CONFIG=config/hvault-common.config 7 | export CONFIG_LINUX_VERSION=5.4.68 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | CONFIG_MSRTOOLS=y 23 | export CONFIG_IO386=y 24 | export CONFIG_USB_KEYBOARD=y 25 | 26 | #CONFIG_CAIRO=y 27 | #CONFIG_FBWHIPTAIL=y 28 | 29 | # Serial console only, no graphics 30 | 31 | CONFIG_LINUX_USB=y 32 | CONFIG_LINUX_IGB=y 33 | 34 | CONFIG_LINUX_SCSI_GDTH=y 35 | CONFIG_LINUX_ATA=y 36 | CONFIG_LINUX_AHCI=y 37 | CONFIG_LINUX_NVME=y 38 | CONFIG_LINUX_MEI=y 39 | 40 | 41 | export CONFIG_TPM=y 42 | export CONFIG_BOOTSCRIPT=/bin/autoboot-init 43 | export CONFIG_BOOT_REQ_HASH=n 44 | export CONFIG_BOOT_REQ_ROLLBACK=n 45 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" 46 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 47 | export CONFIG_BOOT_DEV="LABEL=boot" 48 | export CONFIG_USB_BOOT_DEV="/dev/sdb1" 49 | #export CONFIG_BOOT_GUI_MENU_NAME="Supermicro x11ssh-tf Heads Boot Menu" 50 | #export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" 51 | #export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" 52 | -------------------------------------------------------------------------------- /boards/t420/t420.config: -------------------------------------------------------------------------------- 1 | # Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. 2 | export CONFIG_COREBOOT=y 3 | export CONFIG_COREBOOT_VERSION=4.8.1 4 | export CONFIG_LINUX_VERSION=4.14.62 5 | 6 | CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config 7 | CONFIG_LINUX_CONFIG=config/linux-x230.config 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | 23 | CONFIG_CAIRO=y 24 | CONFIG_FBWHIPTAIL=y 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_LINUX_E1000E=y 28 | 29 | export CONFIG_TPM=y 30 | export CONFIG_BOOTSCRIPT=/bin/gui-init 31 | export CONFIG_BOOT_REQ_HASH=n 32 | export CONFIG_BOOT_REQ_ROLLBACK=n 33 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" 34 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 35 | export CONFIG_BOOT_DEV="/dev/sda1" 36 | export CONFIG_BOARD_NAME="ThinkPad T420" 37 | export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq --ifd --image bios" 38 | -------------------------------------------------------------------------------- /boards/t430-flash/t430-flash.config: -------------------------------------------------------------------------------- 1 | # Minimal configuration for a t430 to support flashrom, USB and networking 2 | BOARD=t430.flash 3 | 4 | export CONFIG_COREBOOT=y 5 | export CONFIG_COREBOOT_VERSION=4.8.1 6 | export CONFIG_LINUX_VERSION=4.14.62 7 | 8 | CONFIG_FLASHROM=y 9 | #CONFIG_GPG=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_PCIUTILS=y 12 | #CONFIG_MBEDTLS=y 13 | #CONFIG_QRENCODE=y 14 | #CONFIG_TPMTOTP=y 15 | #CONFIG_DROPBEAR=y 16 | 17 | CONFIG_LINUX_CONFIG=config/linux-x230-flash.config 18 | CONFIG_LINUX_USB=y 19 | CONFIG_LINUX_E1000E=y 20 | 21 | export CONFIG_BOOTSCRIPT=/bin/t430-flash.init 22 | export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" 23 | 24 | # This board is "special" in that we only want the top 4 MB of the ROM 25 | # for flashing into SPI flash 1 on the mainboard. This is enough to 26 | # allow the board to boot into a minimal Heads and read the full 27 | # ROM from an external USB media. 28 | all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom 29 | $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) 30 | $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) 31 | @sha256sum $@ 32 | #We remove the original ROM, leaving only the 4mb top one 33 | rm $(build)/$(BOARD)/$(CB_OUTPUT_FILE) 34 | -------------------------------------------------------------------------------- /boards/tioga/tioga.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Tioga Pass (Wiwynn) OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/tioga.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | export CONFIG_LINUX_VERSION=4.14.62 8 | 9 | # If you want to build with the go-based u-root instead of Heads 10 | CONFIG_UROOT ?= n 11 | 12 | ifeq "$(CONFIG_UROOT)" "y" 13 | # The busybox will likely be redundant and can be trimmed for space. 14 | CONFIG_BUSYBOX=n 15 | CONFIG_ZLIB=n 16 | CONFIG_MUSL=n 17 | else 18 | # These don't fit if u-root is turned on 19 | #CONFIG_CRYPTSETUP=y 20 | #CONFIG_FLASHROM=y 21 | CONFIG_FLASHTOOLS=y 22 | #CONFIG_GPG=y 23 | CONFIG_KEXEC=y 24 | CONFIG_UTIL_LINUX=y 25 | #CONFIG_LVM2=y 26 | CONFIG_MBEDTLS=y 27 | CONFIG_PCIUTILS=y 28 | CONFIG_POPT=y 29 | CONFIG_QRENCODE=y 30 | CONFIG_TPMTOTP=y 31 | CONFIG_DROPBEAR=y 32 | endif 33 | 34 | # Linux modules will still be linked into the u-root tree 35 | CONFIG_LINUX_USB=y 36 | #CONFIG_LINUX_MLX4=y 37 | #CONFIG_LINUX_ATA=y 38 | #CONFIG_LINUX_AHCI=y 39 | #CONFIG_LINUX_E1000E=y 40 | CONFIG_LINUX_NVME=y 41 | CONFIG_LINUX_BCM=y 42 | 43 | export CONFIG_BOOTSCRIPT=/bin/generic-init 44 | export CONFIG_TPM=n 45 | export CONFIG_BOOT_REQ_HASH=n 46 | export CONFIG_BOOT_REQ_ROLLBACK=n 47 | export CONFIG_BOOT_DEV="/dev/sda1" 48 | 49 | $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate 50 | 51 | -------------------------------------------------------------------------------- /boards/winterfell/uinit.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012-2017 the u-root Authors. All rights reserved 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // This is winterfell init script 6 | package main 7 | 8 | import ( 9 | "log" 10 | "os" 11 | "os/exec" 12 | "strings" 13 | ) 14 | 15 | var ( 16 | commands = []string{ 17 | "/bbin/insmod /lib/modules/nvme-core.ko", 18 | "/bbin/insmod /lib/modules/nvme.ko", 19 | "/bbin/insmod /lib/modules/libata.ko", 20 | "/bbin/insmod /lib/modules/libahci.ko", 21 | "/bbin/insmod /lib/modules/ahci.ko", 22 | "/bbin/rsdp", 23 | } 24 | ) 25 | 26 | func main() { 27 | for _, line := range commands { 28 | log.Printf("Executing Command: %v", line) 29 | cmdSplit := strings.Split(line, " ") 30 | if len(cmdSplit) == 0 { 31 | continue 32 | } 33 | 34 | cmd := exec.Command(cmdSplit[0], cmdSplit[1:]...) 35 | cmd.Stdin = os.Stdin 36 | cmd.Stderr = os.Stderr 37 | cmd.Stdout = os.Stdout 38 | if err := cmd.Run(); err != nil { 39 | log.Print(err) 40 | } 41 | 42 | } 43 | log.Print("Uinit Done!") 44 | } 45 | -------------------------------------------------------------------------------- /boards/winterfell/winterfell.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Winterfell OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/winterfell.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | export CONFIG_LINUX_VERSION=4.14.62 8 | 9 | # If you want to build with the go-based u-root instead of Heads 10 | CONFIG_UROOT ?= y 11 | 12 | ifeq "$(CONFIG_UROOT)" "y" 13 | # The busybox will likely be redundant and can be trimmed for space. 14 | CONFIG_BUSYBOX=n 15 | CONFIG_ZLIB=n 16 | CONFIG_MUSL=n 17 | else 18 | # These don't fit if u-root is turned on 19 | #CONFIG_CRYPTSETUP=y 20 | #CONFIG_FLASHROM=y 21 | CONFIG_FLASHTOOLS=y 22 | CONFIG_GPG=y 23 | CONFIG_KEXEC=y 24 | CONFIG_UTIL_LINUX=y 25 | #CONFIG_LVM2=y 26 | #CONFIG_MBEDTLS=y 27 | CONFIG_PCIUTILS=y 28 | CONFIG_POPT=y 29 | #CONFIG_QRENCODE=y 30 | #CONFIG_TPMTOTP=y 31 | CONFIG_DROPBEAR=y 32 | endif 33 | 34 | # Linux modules will still be linked into the u-root tree 35 | CONFIG_LINUX_USB=y 36 | CONFIG_LINUX_MLX4=y 37 | CONFIG_LINUX_ATA=y 38 | CONFIG_LINUX_AHCI=y 39 | CONFIG_LINUX_E1000E=y 40 | CONFIG_LINUX_NVME=y 41 | 42 | export CONFIG_BOOTSCRIPT=/bin/generic-init 43 | export CONFIG_TPM=n 44 | export CONFIG_BOOT_REQ_HASH=n 45 | export CONFIG_BOOT_REQ_ROLLBACK=n 46 | export CONFIG_BOOT_DEV="/dev/sda1" 47 | 48 | #$(build)/$(BOARD)/linuxboot.rom: $(build)/$(linuxboot_dir)/ 49 | 50 | # No 0x on these since the flasher doesn't handle that 51 | dxe_offset := 860000 52 | dxe_size := 6a0000 53 | flash-dxe: $(build)/$(BOARD)/linuxboot.rom 54 | ( echo u$(dxe_offset) $(dxe_size) ; \ 55 | pv $(build)/linuxboot-git/build/$(BOARD)/dxe.vol \ 56 | ) > /dev/ttyACM0 57 | 58 | flash: $(build)/$(BOARD)/linuxboot.rom 59 | ( echo u0 1000000 ; \ 60 | pv $< \ 61 | ) > /dev/ttyACM0 62 | -------------------------------------------------------------------------------- /boards/x220/x220.config: -------------------------------------------------------------------------------- 1 | # Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. 2 | export CONFIG_COREBOOT=y 3 | export CONFIG_COREBOOT_VERSION=4.8.1 4 | export CONFIG_LINUX_VERSION=4.14.62 5 | 6 | CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config 7 | CONFIG_LINUX_CONFIG=config/linux-x230.config 8 | 9 | CONFIG_CRYPTSETUP=y 10 | CONFIG_FLASHROM=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | 23 | CONFIG_CAIRO=y 24 | CONFIG_FBWHIPTAIL=y 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_LINUX_E1000E=y 28 | 29 | export CONFIG_TPM=y 30 | export CONFIG_BOOTSCRIPT=/bin/gui-init 31 | export CONFIG_BOOT_REQ_HASH=n 32 | export CONFIG_BOOT_REQ_ROLLBACK=n 33 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" 34 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 35 | export CONFIG_BOOT_DEV="/dev/sda1" 36 | export CONFIG_BOARD_NAME="ThinkPad X220" 37 | export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq --ifd --image bios" 38 | -------------------------------------------------------------------------------- /boards/x230-flash/x230-flash.config: -------------------------------------------------------------------------------- 1 | # Minimal configuration for a x230 to support flashrom, USB and networking 2 | BOARD=x230.flash 3 | 4 | export CONFIG_COREBOOT=y 5 | export CONFIG_COREBOOT_VERSION=4.8.1 6 | export CONFIG_LINUX_VERSION=4.14.62 7 | 8 | CONFIG_FLASHROM=y 9 | #CONFIG_GPG=y 10 | CONFIG_FLASHTOOLS=y 11 | CONFIG_PCIUTILS=y 12 | #CONFIG_MBEDTLS=y 13 | #CONFIG_QRENCODE=y 14 | #CONFIG_TPMTOTP=y 15 | #CONFIG_DROPBEAR=y 16 | 17 | CONFIG_LINUX_CONFIG=config/linux-x230-flash.config 18 | CONFIG_LINUX_USB=y 19 | CONFIG_LINUX_E1000E=y 20 | 21 | export CONFIG_BOOTSCRIPT=/bin/x230-flash.init 22 | export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" 23 | 24 | # This board is "special" in that we only want the top 4 MB of the ROM 25 | # for flashing into SPI flash 1 on the mainboard. This is enough to 26 | # allow the board to boot into a minimal Heads and read the full 27 | # ROM from an external USB media. 28 | all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom 29 | $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) 30 | $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) 31 | @sha256sum $@ 32 | #We remove the original ROM, leaving only the 4mb top one 33 | rm $(build)/$(BOARD)/$(CB_OUTPUT_FILE) 34 | -------------------------------------------------------------------------------- /boards/x230/x230.config: -------------------------------------------------------------------------------- 1 | # Configuration for a x230 running Qubes and other OSes 2 | # STATIC_OPTION_TABLE is set inside of coreboot config 3 | # 4 | # Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 : 5 | # dropbear support(ssh client/server) 6 | # e1000e (ethernet driver) 7 | export CONFIG_COREBOOT=y 8 | export CONFIG_COREBOOT_VERSION=4.8.1 9 | export CONFIG_LINUX_VERSION=4.14.62 10 | 11 | CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config 12 | CONFIG_LINUX_CONFIG=config/linux-x230.config 13 | 14 | CONFIG_CRYPTSETUP=y 15 | CONFIG_FLASHROM=y 16 | CONFIG_FLASHTOOLS=y 17 | CONFIG_GPG2=y 18 | CONFIG_KEXEC=y 19 | CONFIG_UTIL_LINUX=y 20 | CONFIG_LVM2=y 21 | CONFIG_MBEDTLS=y 22 | CONFIG_PCIUTILS=y 23 | CONFIG_POPT=y 24 | CONFIG_QRENCODE=y 25 | CONFIG_TPMTOTP=y 26 | 27 | #CONFIG_SLANG=y 28 | #CONFIG_NEWT=y 29 | CONFIG_CAIRO=y 30 | CONFIG_FBWHIPTAIL=y 31 | 32 | CONFIG_LINUX_USB=y 33 | 34 | #SSH client/server 35 | CONFIG_DROPBEAR=n 36 | #Ethernet driver (Heads only) 37 | CONFIG_LINUX_E1000E=n 38 | 39 | export CONFIG_TPM=y 40 | export CONFIG_BOOTSCRIPT=/bin/gui-init 41 | export CONFIG_BOOT_REQ_HASH=n 42 | export CONFIG_BOOT_REQ_ROLLBACK=n 43 | export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" 44 | export CONFIG_BOOT_KERNEL_REMOVE="quiet" 45 | export CONFIG_BOOT_DEV="/dev/sda1" 46 | export CONFIG_BOARD_NAME="Thinkpad X230" 47 | export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" 48 | 49 | # This board has two SPI flash chips, an 8 MB that holds the IFD, 50 | # the ME image and part of the coreboot image, and a 4 MB one that 51 | # has the rest of the coreboot and the reset vector. 52 | # 53 | # Only flashing to the bios region is safe to do. The easiest is to 54 | # flash internally when the IFD is unlocked for writing, and x230-flash 55 | # is installed first. 56 | -------------------------------------------------------------------------------- /build/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /config/coreboot-kgpe-d16_server-whiptail.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_OPTION_TABLE=y 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_VENDOR_ASUS=y 4 | CONFIG_UART_FOR_CONSOLE=1 5 | CONFIG_BOARD_ASUS_KGPE_D16=y 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 8 | CONFIG_SOUTHBRIDGE_AMD_SB700_33MHZ_SPI=y 9 | # CONFIG_DRIVERS_INTEL_WIFI is not set 10 | CONFIG_MEASURED_BOOT=y 11 | CONFIG_USER_TPM1=y 12 | CONFIG_TPM_RDRESP_NEED_DELAY=y 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_PAYLOAD_FILE="../../build/kgpe-d16_server-whiptail/bzImage" 16 | CONFIG_LINUX_COMMAND_LINE="nohz=on console=tty0 earlyprintk=tty0" 17 | CONFIG_LINUX_INITRD="../../build/kgpe-d16_server-whiptail/initrd.cpio.xz" 18 | CONFIG_CPU_MICROCODE_CBFS_NONE=y 19 | -------------------------------------------------------------------------------- /config/coreboot-kgpe-d16_server.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_OPTION_TABLE=y 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_VENDOR_ASUS=y 4 | CONFIG_UART_FOR_CONSOLE=1 5 | CONFIG_BOARD_ASUS_KGPE_D16=y 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 8 | CONFIG_SOUTHBRIDGE_AMD_SB700_33MHZ_SPI=y 9 | # CONFIG_DRIVERS_INTEL_WIFI is not set 10 | CONFIG_MEASURED_BOOT=y 11 | CONFIG_USER_TPM1=y 12 | CONFIG_TPM_RDRESP_NEED_DELAY=y 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_LINUX_COMMAND_LINE="nohz=on console=ttyS1,115200n8 earlyprintk=ttyS1,115200" 16 | CONFIG_PAYLOAD_FILE="../../build/kgpe-d16_server/bzImage" 17 | CONFIG_LINUX_INITRD="../../build/kgpe-d16_server/initrd.cpio.xz" 18 | CONFIG_CPU_MICROCODE_CBFS_NONE=y 19 | -------------------------------------------------------------------------------- /config/coreboot-kgpe-d16_workstation-usb_keyboard.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_OPTION_TABLE=y 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_VENDOR_ASUS=y 4 | CONFIG_UART_FOR_CONSOLE=1 5 | CONFIG_BOARD_ASUS_KGPE_D16=y 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 8 | CONFIG_SOUTHBRIDGE_AMD_SB700_33MHZ_SPI=y 9 | # CONFIG_DRIVERS_INTEL_WIFI is not set 10 | CONFIG_MEASURED_BOOT=y 11 | CONFIG_USER_TPM1=y 12 | CONFIG_TPM_RDRESP_NEED_DELAY=y 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_PAYLOAD_FILE="../../build/kgpe-d16_workstation-usb_keyboard/bzImage" 16 | CONFIG_LINUX_COMMAND_LINE="nohz=on console=tty0 earlyprintk=tty0" 17 | CONFIG_LINUX_INITRD="../../build/kgpe-d16_workstation-usb_keyboard/initrd.cpio.xz" 18 | CONFIG_CPU_MICROCODE_CBFS_NONE=y 19 | -------------------------------------------------------------------------------- /config/coreboot-kgpe-d16_workstation.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_OPTION_TABLE=y 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_VENDOR_ASUS=y 4 | CONFIG_UART_FOR_CONSOLE=1 5 | CONFIG_BOARD_ASUS_KGPE_D16=y 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 8 | CONFIG_SOUTHBRIDGE_AMD_SB700_33MHZ_SPI=y 9 | # CONFIG_DRIVERS_INTEL_WIFI is not set 10 | CONFIG_MEASURED_BOOT=y 11 | CONFIG_USER_TPM1=y 12 | CONFIG_TPM_RDRESP_NEED_DELAY=y 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_PAYLOAD_FILE="../../build/kgpe-d16_workstation/bzImage" 16 | CONFIG_LINUX_COMMAND_LINE="nohz=on console=tty0 earlyprintk=tty0" 17 | CONFIG_LINUX_INITRD="../../build/kgpe-d16_workstation/initrd.cpio.xz" 18 | CONFIG_CPU_MICROCODE_CBFS_NONE=y 19 | -------------------------------------------------------------------------------- /config/coreboot-librem_13v2.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BLOBS=y 2 | CONFIG_MEASURED_BOOT=y 3 | CONFIG_VENDOR_PURISM=y 4 | CONFIG_CBFS_SIZE=0xe00000 5 | CONFIG_MAINBOARD_SERIAL_NUMBER="Unknown Serial Number" 6 | CONFIG_HAVE_IFD_BIN=y 7 | CONFIG_HAVE_ME_BIN=y 8 | # CONFIG_POST_IO is not set 9 | # CONFIG_POST_DEVICE is not set 10 | # CONFIG_DRIVERS_UART_8250IO is not set 11 | CONFIG_IFD_BIN_PATH="../../blobs/librem_skl/descriptor.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/librem_skl/me.bin" 13 | CONFIG_ADD_FSP_BINARIES=y 14 | CONFIG_FSP_M_FILE="../../blobs/librem_skl/fspm.bin" 15 | CONFIG_FSP_S_FILE="../../blobs/librem_skl/fsps.bin" 16 | CONFIG_BOARD_PURISM_LIBREM13_V2=y 17 | # CONFIG_NO_POST is not set 18 | CONFIG_CPU_UCODE_BINARIES="../../blobs/librem_skl/cpu_microcode_blob.bin" 19 | CONFIG_NO_GFX_INIT=y 20 | CONFIG_INTEL_GMA_ADD_VBT_DATA_FILE=y 21 | CONFIG_INTEL_GMA_VBT_FILE="../../blobs/librem_skl/vbt.bin" 22 | CONFIG_DISPLAY_FSP_CALLS_AND_STATUS=y 23 | CONFIG_FSP_M_XIP=y 24 | # CONFIG_DRIVERS_INTEL_WIFI is not set 25 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 26 | CONFIG_PAYLOAD_LINUX=y 27 | CONFIG_PAYLOAD_FILE="../../build/librem_13v2/bzImage" 28 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 29 | CONFIG_LINUX_INITRD="../../build/librem_13v2/initrd.cpio.xz" 30 | -------------------------------------------------------------------------------- /config/coreboot-librem_13v4.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BLOBS=y 2 | CONFIG_MEASURED_BOOT=y 3 | CONFIG_VENDOR_PURISM=y 4 | CONFIG_CBFS_SIZE=0xe00000 5 | CONFIG_MAINBOARD_SERIAL_NUMBER="Unknown Serial Number" 6 | CONFIG_HAVE_IFD_BIN=y 7 | CONFIG_HAVE_ME_BIN=y 8 | # CONFIG_POST_IO is not set 9 | # CONFIG_POST_DEVICE is not set 10 | # CONFIG_DRIVERS_UART_8250IO is not set 11 | CONFIG_IFD_BIN_PATH="../../blobs/librem_kbl/descriptor.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/librem_kbl/me.bin" 13 | CONFIG_ADD_FSP_BINARIES=y 14 | CONFIG_FSP_M_FILE="../../blobs/librem_kbl/fspm.bin" 15 | CONFIG_FSP_S_FILE="../../blobs/librem_kbl/fsps.bin" 16 | CONFIG_BOARD_PURISM_LIBREM13_V4=y 17 | # CONFIG_NO_POST is not set 18 | CONFIG_CPU_UCODE_BINARIES="../../blobs/librem_kbl/cpu_microcode_blob.bin" 19 | CONFIG_NO_GFX_INIT=y 20 | CONFIG_INTEL_GMA_ADD_VBT_DATA_FILE=y 21 | CONFIG_INTEL_GMA_VBT_FILE="../../blobs/librem_kbl/vbt.bin" 22 | CONFIG_DISPLAY_FSP_CALLS_AND_STATUS=y 23 | CONFIG_FSP_M_XIP=y 24 | # CONFIG_DRIVERS_INTEL_WIFI is not set 25 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 26 | CONFIG_PAYLOAD_LINUX=y 27 | CONFIG_PAYLOAD_FILE="../../build/librem_13v4/bzImage" 28 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 29 | CONFIG_LINUX_INITRD="../../build/librem_13v4/initrd.cpio.xz" 30 | -------------------------------------------------------------------------------- /config/coreboot-librem_15v3.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BLOBS=y 2 | CONFIG_MEASURED_BOOT=y 3 | CONFIG_VENDOR_PURISM=y 4 | CONFIG_CBFS_SIZE=0xe00000 5 | CONFIG_MAINBOARD_SERIAL_NUMBER="Unknown Serial Number" 6 | CONFIG_HAVE_IFD_BIN=y 7 | CONFIG_HAVE_ME_BIN=y 8 | # CONFIG_POST_IO is not set 9 | # CONFIG_POST_DEVICE is not set 10 | # CONFIG_DRIVERS_UART_8250IO is not set 11 | CONFIG_IFD_BIN_PATH="../../blobs/librem_skl/descriptor.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/librem_skl/me.bin" 13 | CONFIG_ADD_FSP_BINARIES=y 14 | CONFIG_FSP_M_FILE="../../blobs/librem_skl/fspm.bin" 15 | CONFIG_FSP_S_FILE="../../blobs/librem_skl/fsps.bin" 16 | CONFIG_BOARD_PURISM_LIBREM15_V3=y 17 | # CONFIG_NO_POST is not set 18 | CONFIG_CPU_UCODE_BINARIES="../../blobs/librem_skl/cpu_microcode_blob.bin" 19 | CONFIG_NO_GFX_INIT=y 20 | CONFIG_INTEL_GMA_ADD_VBT_DATA_FILE=y 21 | CONFIG_INTEL_GMA_VBT_FILE="../../blobs/librem_skl/vbt.bin" 22 | CONFIG_DISPLAY_FSP_CALLS_AND_STATUS=y 23 | CONFIG_FSP_M_XIP=y 24 | # CONFIG_DRIVERS_INTEL_WIFI is not set 25 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 26 | CONFIG_PAYLOAD_LINUX=y 27 | CONFIG_PAYLOAD_FILE="../../build/librem_15v3/bzImage" 28 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 29 | CONFIG_LINUX_INITRD="../../build/librem_15v3/initrd.cpio.xz" 30 | -------------------------------------------------------------------------------- /config/coreboot-librem_15v4.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BLOBS=y 2 | CONFIG_MEASURED_BOOT=y 3 | CONFIG_VENDOR_PURISM=y 4 | CONFIG_CBFS_SIZE=0xe00000 5 | CONFIG_MAINBOARD_SERIAL_NUMBER="Unknown Serial Number" 6 | CONFIG_HAVE_IFD_BIN=y 7 | CONFIG_HAVE_ME_BIN=y 8 | # CONFIG_POST_IO is not set 9 | # CONFIG_POST_DEVICE is not set 10 | # CONFIG_DRIVERS_UART_8250IO is not set 11 | CONFIG_IFD_BIN_PATH="../../blobs/librem_kbl/descriptor.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/librem_kbl/me.bin" 13 | CONFIG_ADD_FSP_BINARIES=y 14 | CONFIG_FSP_M_FILE="../../blobs/librem_kbl/fspm.bin" 15 | CONFIG_FSP_S_FILE="../../blobs/librem_kbl/fsps.bin" 16 | CONFIG_BOARD_PURISM_LIBREM15_V4=y 17 | # CONFIG_NO_POST is not set 18 | CONFIG_CPU_UCODE_BINARIES="../../blobs/librem_kbl/cpu_microcode_blob.bin" 19 | CONFIG_NO_GFX_INIT=y 20 | CONFIG_INTEL_GMA_ADD_VBT_DATA_FILE=y 21 | CONFIG_INTEL_GMA_VBT_FILE="../../blobs/librem_kbl/vbt.bin" 22 | CONFIG_DISPLAY_FSP_CALLS_AND_STATUS=y 23 | CONFIG_FSP_M_XIP=y 24 | # CONFIG_DRIVERS_INTEL_WIFI is not set 25 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 26 | CONFIG_PAYLOAD_LINUX=y 27 | CONFIG_PAYLOAD_FILE="../../build/librem_15v4/bzImage" 28 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3 video=eDP-1:1920x1080" 29 | CONFIG_LINUX_INITRD="../../build/librem_15v4/initrd.cpio.xz" 30 | -------------------------------------------------------------------------------- /config/coreboot-librem_l1um.config: -------------------------------------------------------------------------------- 1 | CONFIG_USE_BLOBS=y 2 | CONFIG_MEASURED_BOOT=y 3 | CONFIG_VENDOR_PURISM=y 4 | CONFIG_CBFS_SIZE=0xC00000 5 | CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="Purism" 6 | CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Librem Server L1UM" 7 | CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_l1um/flashdescriptor.bin" 8 | CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_l1um/me.bin" 9 | CONFIG_HAVE_IFD_BIN=y 10 | # CONFIG_DRIVERS_INTEL_WIFI is not set 11 | CONFIG_BOARD_PURISM_LIBREM_L1UM=y 12 | CONFIG_PCIEXP_COMMON_CLOCK=y 13 | CONFIG_FSP_EHCI1_ENABLE=y 14 | CONFIG_FSP_EHCI2_ENABLE=y 15 | CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y 16 | CONFIG_CPU_UCODE_BINARIES="3rdparty/purism-blobs/mainboard/purism/librem_l1um/cpu_microcode_blob.bin" 17 | CONFIG_HAVE_ME_BIN=y 18 | CONFIG_NO_GFX_INIT=y 19 | CONFIG_DRIVERS_GENERIC_CBFS_SERIAL=y 20 | CONFIG_SMBIOS_ENCLOSURE_TYPE=0x17 21 | CONFIG_USER_TPM1=y 22 | CONFIG_NO_POST=y 23 | CONFIG_PAYLOAD_LINUX=y 24 | CONFIG_PAYLOAD_FILE="../../build/librem_l1um/bzImage" 25 | CONFIG_LINUX_INITRD="../../build/librem_l1um/initrd.cpio.xz" 26 | CONFIG_LINUX_COMMAND_LINE="quiet loglevel=3" 27 | -------------------------------------------------------------------------------- /config/coreboot-librem_mini.config: -------------------------------------------------------------------------------- 1 | CONFIG_CBFS_SIZE=0xC00000 2 | CONFIG_VENDOR_PURISM=y 3 | CONFIG_INTEL_GMA_VBT_FILE="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini/vbt.bin" 4 | CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini/flashdescriptor.bin" 5 | CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini/me.bin" 6 | CONFIG_HAVE_IFD_BIN=y 7 | CONFIG_BOARD_PURISM_LIBREM_MINI=y 8 | CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y 9 | CONFIG_CPU_UCODE_BINARIES="3rdparty/purism-blobs/mainboard/purism/librem_cnl/cpu_microcode_blob.bin" 10 | CONFIG_HAVE_ME_BIN=y 11 | CONFIG_PAYLOAD_LINUX=y 12 | CONFIG_PAYLOAD_FILE="../../build/librem_mini/bzImage" 13 | CONFIG_LINUX_INITRD="../../build/librem_mini/initrd.cpio.xz" 14 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=2" 15 | -------------------------------------------------------------------------------- /config/coreboot-librem_mini_v2.config: -------------------------------------------------------------------------------- 1 | CONFIG_VENDOR_PURISM=y 2 | CONFIG_INTEL_GMA_VBT_FILE="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini/vbt.bin" 3 | CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini_v2/flashdescriptor.bin" 4 | CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_cnl/mini_v2/me.bin" 5 | CONFIG_HAVE_IFD_BIN=y 6 | CONFIG_BOARD_PURISM_LIBREM_MINI_V2=y 7 | CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y 8 | CONFIG_CPU_UCODE_BINARIES="3rdparty/purism-blobs/mainboard/purism/librem_cnl/cpu_microcode_blob.bin" 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_PAYLOAD_LINUX=y 11 | CONFIG_PAYLOAD_FILE="../../build/librem_mini_v2/bzImage" 12 | CONFIG_LINUX_INITRD="../../build/librem_mini_v2/initrd.cpio.xz" 13 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=2" 14 | -------------------------------------------------------------------------------- /config/coreboot-qemu-fbwhiptail.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | CONFIG_CBFS_SIZE=0x750000 3 | # CONFIG_POST_IO is not set 4 | CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y 5 | # CONFIG_POST_DEVICE is not set 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_8192=y 8 | CONFIG_PCIEXP_ASPM=y 9 | CONFIG_PCIEXP_COMMON_CLOCK=y 10 | CONFIG_UART_PCI_ADDR=0 11 | CONFIG_CPU_MICROCODE_CBFS_GENERATE=y 12 | # CONFIG_CONSOLE_SERIAL is not set 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_LINUX_COMMAND_LINE="debug" 16 | CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot-fbwhiptail/bzImage" 17 | CONFIG_LINUX_INITRD="../../build/qemu-coreboot-fbwhiptail/initrd.cpio.xz" 18 | -------------------------------------------------------------------------------- /config/coreboot-qemu-hvault-tpm2.config: -------------------------------------------------------------------------------- 1 | CONFIG_LOCALVERSION="-heads" 2 | # CONFIG_INCLUDE_CONFIG_FILE is not set 3 | CONFIG_CBFS_SIZE=0xfe0000 4 | # CONFIG_POST_IO is not set 5 | CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y 6 | # CONFIG_POST_DEVICE is not set 7 | CONFIG_DRIVERS_PS2_KEYBOARD=y 8 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 9 | CONFIG_PCIEXP_ASPM=y 10 | CONFIG_PCIEXP_COMMON_CLOCK=y 11 | CONFIG_UART_PCI_ADDR=0 12 | CONFIG_CPU_MICROCODE_CBFS_GENERATE=y 13 | # CONFIG_CONSOLE_SERIAL is not set 14 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y 15 | CONFIG_PAYLOAD_LINUX=y 16 | CONFIG_PAYLOAD_FILE="../../build/qemu-hvault-tpm2/bzImage" 17 | CONFIG_LINUX_INITRD="../../build/qemu-hvault-tpm2/initrd.cpio.xz" 18 | -------------------------------------------------------------------------------- /config/coreboot-qemu-hvault.config: -------------------------------------------------------------------------------- 1 | CONFIG_LOCALVERSION="-heads" 2 | # CONFIG_INCLUDE_CONFIG_FILE is not set 3 | CONFIG_CBFS_SIZE=0x7e0000 4 | # CONFIG_POST_IO is not set 5 | CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y 6 | # CONFIG_POST_DEVICE is not set 7 | CONFIG_DRIVERS_PS2_KEYBOARD=y 8 | CONFIG_COREBOOT_ROMSIZE_KB_8192=y 9 | CONFIG_PCIEXP_ASPM=y 10 | CONFIG_PCIEXP_COMMON_CLOCK=y 11 | CONFIG_UART_PCI_ADDR=0 12 | CONFIG_CPU_MICROCODE_CBFS_GENERATE=y 13 | # CONFIG_CONSOLE_SERIAL is not set 14 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y 15 | CONFIG_PAYLOAD_LINUX=y 16 | CONFIG_PAYLOAD_FILE="../../build/qemu-hvault-generic/bzImage" 17 | CONFIG_LINUX_INITRD="../../build/qemu-hvault-generic/initrd.cpio.xz" 18 | -------------------------------------------------------------------------------- /config/coreboot-qemu.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | CONFIG_CBFS_SIZE=0xF00000 3 | # CONFIG_POST_IO is not set 4 | CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y 5 | # CONFIG_POST_DEVICE is not set 6 | CONFIG_DRIVERS_PS2_KEYBOARD=y 7 | CONFIG_COREBOOT_ROMSIZE_KB_16384=y 8 | CONFIG_PCIEXP_ASPM=y 9 | CONFIG_PCIEXP_COMMON_CLOCK=y 10 | CONFIG_UART_PCI_ADDR=0 11 | CONFIG_CPU_MICROCODE_CBFS_GENERATE=y 12 | # CONFIG_CONSOLE_SERIAL is not set 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786" 16 | CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot/bzImage" 17 | CONFIG_LINUX_INITRD="../../build/qemu-coreboot/initrd.cpio.xz" 18 | -------------------------------------------------------------------------------- /config/coreboot-t420-hotp-maximized.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" 13 | CONFIG_BOARD_LENOVO_T420=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" 17 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 18 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/t420-hotp-maximized/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/t420-hotp-maximized/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-t420-maximized.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" 13 | CONFIG_BOARD_LENOVO_T420=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" 17 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 18 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/t420-maximized/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/t420-maximized/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-t420.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/t420/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/t420/me.bin" 13 | CONFIG_BOARD_LENOVO_T420=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/t420/gbe.bin" 17 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 18 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-t430-flash.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x400000 7 | # CONFIG_POST_DEVICE is not set 8 | CONFIG_DRIVERS_UART_8250IO=y 9 | CONFIG_BOARD_LENOVO_THINKPAD_T430=y 10 | CONFIG_DRIVERS_PS2_KEYBOARD=y 11 | CONFIG_UART_PCI_ADDR=0 12 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_PAYLOAD_FILE="../../build/t430-flash/bzImage" 16 | CONFIG_LINUX_INITRD="../../build/t430-flash/initrd.cpio.xz" 17 | -------------------------------------------------------------------------------- /config/coreboot-t430-hotp-maximized.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0xB80000 4 | CONFIG_HAVE_IFD_BIN=y 5 | CONFIG_HAVE_ME_BIN=y 6 | CONFIG_HAVE_GBE_BIN=y 7 | CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" 8 | CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" 9 | CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" 10 | CONFIG_BOARD_LENOVO_THINKPAD_T430=y 11 | CONFIG_NO_POST=y 12 | CONFIG_UART_PCI_ADDR=0 13 | # CONFIG_CONSOLE_SERIAL is not set 14 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 15 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 16 | CONFIG_PAYLOAD_LINUX=y 17 | CONFIG_PAYLOAD_FILE="../../build/t430-hotp-maximized/bzImage" 18 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 19 | CONFIG_LINUX_INITRD="../../build/t430-hotp-maximized/initrd.cpio.xz" 20 | CONFIG_USE_OPTION_TABLE=y 21 | CONFIG_STATIC_OPTION_TABLE=y 22 | -------------------------------------------------------------------------------- /config/coreboot-t430-maximized.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0xB80000 4 | CONFIG_HAVE_IFD_BIN=y 5 | CONFIG_HAVE_ME_BIN=y 6 | CONFIG_HAVE_GBE_BIN=y 7 | CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" 8 | CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" 9 | CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" 10 | CONFIG_BOARD_LENOVO_THINKPAD_T430=y 11 | CONFIG_NO_POST=y 12 | CONFIG_UART_PCI_ADDR=0 13 | # CONFIG_CONSOLE_SERIAL is not set 14 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 15 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 16 | CONFIG_PAYLOAD_LINUX=y 17 | CONFIG_PAYLOAD_FILE="../../build/t430-maximized/bzImage" 18 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 19 | CONFIG_LINUX_INITRD="../../build/t430-maximized/initrd.cpio.xz" 20 | CONFIG_USE_OPTION_TABLE=y 21 | CONFIG_STATIC_OPTION_TABLE=y 22 | -------------------------------------------------------------------------------- /config/coreboot-t430.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0x700000 4 | CONFIG_BOARD_LENOVO_THINKPAD_T430=y 5 | CONFIG_NO_POST=y 6 | CONFIG_UART_PCI_ADDR=0 7 | # CONFIG_CONSOLE_SERIAL is not set 8 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 9 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 10 | CONFIG_PAYLOAD_LINUX=y 11 | CONFIG_PAYLOAD_FILE="../../build/t430/bzImage" 12 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 13 | CONFIG_LINUX_INITRD="../../build/t430/initrd.cpio.xz" 14 | CONFIG_USE_OPTION_TABLE=y 15 | CONFIG_STATIC_OPTION_TABLE=y 16 | -------------------------------------------------------------------------------- /config/coreboot-x220-hotp-maximized.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" 13 | CONFIG_BOARD_LENOVO_X220=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" 17 | #CONFIG_DEBUG_TPM=y 18 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/x220-hotp-maximized/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/x220-hotp-maximized/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-x220-maximized.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" 13 | CONFIG_BOARD_LENOVO_X220=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" 17 | #CONFIG_DEBUG_TPM=y 18 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/x220-maximized/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/x220-maximized/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-x220.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x750000 7 | CONFIG_ONBOARD_VGA_IS_PRIMARY=y 8 | CONFIG_HAVE_IFD_BIN=y 9 | CONFIG_HAVE_ME_BIN=y 10 | CONFIG_HAVE_GBE_BIN=y 11 | CONFIG_IFD_BIN_PATH="../../blobs/x220/ifd.bin" 12 | CONFIG_ME_BIN_PATH="../../blobs/x220/me.bin" 13 | CONFIG_BOARD_LENOVO_X220=y 14 | CONFIG_DRIVERS_PS2_KEYBOARD=y 15 | CONFIG_NO_POST=y 16 | CONFIG_GBE_BIN_PATH="../../blobs/x220/gbe.bin" 17 | #CONFIG_DEBUG_TPM=y 18 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 19 | CONFIG_PAYLOAD_LINUX=y 20 | CONFIG_PAYLOAD_FILE="../../build/x220/bzImage" 21 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" 22 | CONFIG_LINUX_INITRD="../../build/x220/initrd.cpio.xz" 23 | CONFIG_DEBUG_SMM_RELOCATION=y 24 | -------------------------------------------------------------------------------- /config/coreboot-x230-flash.config: -------------------------------------------------------------------------------- 1 | # CONFIG_INCLUDE_CONFIG_FILE is not set 2 | # CONFIG_COLLECT_TIMESTAMPS is not set 3 | CONFIG_USE_BLOBS=y 4 | CONFIG_MEASURED_BOOT=y 5 | CONFIG_VENDOR_LENOVO=y 6 | CONFIG_CBFS_SIZE=0x400000 7 | # CONFIG_POST_DEVICE is not set 8 | CONFIG_DRIVERS_UART_8250IO=y 9 | CONFIG_BOARD_LENOVO_X230=y 10 | CONFIG_DRIVERS_PS2_KEYBOARD=y 11 | CONFIG_UART_PCI_ADDR=0 12 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 13 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y 14 | CONFIG_PAYLOAD_LINUX=y 15 | CONFIG_PAYLOAD_FILE="../../build/x230-flash/bzImage" 16 | CONFIG_LINUX_INITRD="../../build/x230-flash/initrd.cpio.xz" 17 | CONFIG_DEBUG_SMM_RELOCATION=y 18 | -------------------------------------------------------------------------------- /config/coreboot-x230-hotp-maximized.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0xB80000 4 | CONFIG_HAVE_IFD_BIN=y 5 | CONFIG_HAVE_ME_BIN=y 6 | CONFIG_HAVE_GBE_BIN=y 7 | CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" 8 | CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" 9 | CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" 10 | CONFIG_BOARD_LENOVO_X230=y 11 | CONFIG_NO_POST=y 12 | CONFIG_UART_PCI_ADDR=0 13 | CONFIG_NO_GFX_INIT=y 14 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 15 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 16 | CONFIG_PAYLOAD_LINUX=y 17 | CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized/bzImage" 18 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 19 | CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized/initrd.cpio.xz" 20 | -------------------------------------------------------------------------------- /config/coreboot-x230-hotp-verification.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0x700000 4 | CONFIG_BOARD_LENOVO_X230=y 5 | CONFIG_NO_POST=y 6 | CONFIG_UART_PCI_ADDR=0 7 | CONFIG_NO_GFX_INIT=y 8 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 9 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 10 | CONFIG_PAYLOAD_LINUX=y 11 | CONFIG_PAYLOAD_FILE="../../build/x230-hotp-verification/bzImage" 12 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 13 | CONFIG_LINUX_INITRD="../../build/x230-hotp-verification/initrd.cpio.xz" 14 | -------------------------------------------------------------------------------- /config/coreboot-x230-maximized.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0xB80000 4 | CONFIG_HAVE_IFD_BIN=y 5 | CONFIG_HAVE_ME_BIN=y 6 | CONFIG_HAVE_GBE_BIN=y 7 | CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" 8 | CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" 9 | CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" 10 | CONFIG_BOARD_LENOVO_X230=y 11 | CONFIG_NO_POST=y 12 | CONFIG_UART_PCI_ADDR=0 13 | CONFIG_NO_GFX_INIT=y 14 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 15 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 16 | CONFIG_PAYLOAD_LINUX=y 17 | CONFIG_PAYLOAD_FILE="../../build/x230-maximized/bzImage" 18 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 19 | CONFIG_LINUX_INITRD="../../build/x230-maximized/initrd.cpio.xz" 20 | -------------------------------------------------------------------------------- /config/coreboot-x230.config: -------------------------------------------------------------------------------- 1 | CONFIG_MEASURED_BOOT=y 2 | CONFIG_VENDOR_LENOVO=y 3 | CONFIG_CBFS_SIZE=0x700000 4 | CONFIG_BOARD_LENOVO_X230=y 5 | CONFIG_NO_POST=y 6 | CONFIG_UART_PCI_ADDR=0 7 | CONFIG_NO_GFX_INIT=y 8 | CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 9 | CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y 10 | CONFIG_PAYLOAD_LINUX=y 11 | CONFIG_PAYLOAD_FILE="../../build/x230/bzImage" 12 | CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" 13 | CONFIG_LINUX_INITRD="../../build/x230/initrd.cpio.xz" 14 | CONFIG_USE_OPTION_TABLE=y 15 | CONFIG_STATIC_OPTION_TABLE=y 16 | -------------------------------------------------------------------------------- /initrd/.ash_history: -------------------------------------------------------------------------------- 1 | #remove invalid kexec_* signed files 2 | mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot 3 | #Generate keys from GPG smartcard: 4 | mount-usb && gpg --home=/.gnupg/ --card-edit 5 | #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 6 | mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null 7 | #Insert public key and trustdb export into reproducible rom: 8 | cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt 9 | #Flush changes to external media: 10 | mount -o,remount ro /media 11 | #Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean): 12 | flash.sh -c /media/coreboot.rom 13 | #Attest integrity of firmware as it is 14 | seal-totp 15 | #Verify Intel ME state: 16 | cbmem --console | grep '^ME' 17 | cbmem --console | less 18 | -------------------------------------------------------------------------------- /initrd/.gnupg/gpg-agent.conf: -------------------------------------------------------------------------------- 1 | scdaemon-program /bin/scdaemon 2 | pinentry-program /bin/pinentry-tty 3 | daemon 4 | -------------------------------------------------------------------------------- /initrd/.gnupg/gpg.conf: -------------------------------------------------------------------------------- 1 | use-agent 2 | -------------------------------------------------------------------------------- /initrd/bin/cbfs-init: -------------------------------------------------------------------------------- 1 | #!/bin/ash 2 | set -e -o pipefail 3 | . /etc/functions 4 | 5 | # Update initrd with CBFS files 6 | if [ -z "$CONFIG_PCR" ]; then 7 | CONFIG_PCR=7 8 | fi 9 | 10 | # Load individual files 11 | cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"` 12 | 13 | for cbfsname in `echo $cbfsfiles`; do 14 | filename=${cbfsname:12} 15 | if [ ! -z "$filename" ]; then 16 | echo "Loading $filename from CBFS" 17 | mkdir -p `dirname $filename` \ 18 | || die "$filename: mkdir failed" 19 | cbfs -t 50 -r $cbfsname > "$filename" \ 20 | || die "$filename: cbfs file read failed" 21 | if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then 22 | TMPFILE=/tmp/cbfs.$$ 23 | echo "$filename" > $TMPFILE 24 | cat $filename >> $TMPFILE 25 | tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \ 26 | || die "$filename: tpm extend failed" 27 | fi 28 | fi 29 | done 30 | 31 | # TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract 32 | -------------------------------------------------------------------------------- /initrd/bin/flashrom-kgpe-d16-openbmc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | . /etc/functions 3 | 4 | ROM="$1" 5 | if [ -z "$1" ]; then 6 | die "Usage: $0 /media/kgpe-d16-openbmc.rom" 7 | fi 8 | 9 | cp "$ROM" /tmp/kgpe-d16-openbmc.rom 10 | sha256sum /tmp/kgpe-d16-openbmc.rom 11 | 12 | flashrom --programmer="ast1100:spibus=2,cpu=reset" -c "S25FL128P......0" -w /tmp/kgpe-d16-openbmc.rom \ 13 | || die "$ROM: Flash failed" 14 | 15 | warn "Reboot and hopefully it works..." 16 | exit 0 17 | -------------------------------------------------------------------------------- /initrd/bin/generic-init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Boot from a local disk installation 3 | 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | mount_boot() 8 | { 9 | # Mount local disk if it is not already mounted 10 | if ! grep -q /boot /proc/mounts ; then 11 | mount -o ro /boot \ 12 | || recovery "Unable to mount /boot" 13 | fi 14 | } 15 | 16 | 17 | # Confirm we have a good TOTP unseal and ask the user for next choice 18 | while true; do 19 | echo "y) Default boot" 20 | echo "n) TOTP does not match" 21 | echo "r) Recovery boot" 22 | echo "u) USB boot" 23 | echo "m) Boot menu" 24 | 25 | if ! confirm_totp "Boot mode"; then 26 | recovery 'Failed to unseal TOTP' 27 | fi 28 | 29 | if [ "$totp_confirm" = "r" ]; then 30 | recovery "User requested recovery shell" 31 | fi 32 | 33 | if [ "$totp_confirm" = "n" ]; then 34 | echo "" 35 | echo "To correct clock drift: 'date -s HH:MM:SS'" 36 | echo "and save it to the RTC: 'hwclock -w'" 37 | echo "then reboot and try again" 38 | echo "" 39 | recovery "TOTP mismatch" 40 | fi 41 | 42 | if [ "$totp_confirm" = "u" ]; then 43 | exec /bin/usb-init 44 | continue 45 | fi 46 | 47 | if [ "$totp_confirm" = "m" ]; then 48 | # Try to select a kernel from the menu 49 | mount_boot 50 | kexec-select-boot -m -b /boot -c "grub.cfg" 51 | continue 52 | fi 53 | 54 | if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then 55 | # Try to boot the default 56 | mount_boot 57 | kexec-select-boot -b /boot -c "grub.cfg" \ 58 | || recovery "Failed default boot" 59 | fi 60 | 61 | done 62 | 63 | recovery "Something failed during boot" 64 | -------------------------------------------------------------------------------- /initrd/bin/gpgv: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # if we are using the full GPG we need a wrapper for the gpgv executable 3 | exec gpg --verify "$@" 4 | -------------------------------------------------------------------------------- /initrd/bin/halt: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Sync all mounted filesystems 4 | echo s > /proc/sysrq-trigger 5 | 6 | # Remount all mounted filesystems in read-only mode 7 | echo u > /proc/sysrq-trigger 8 | 9 | # Immediately reboot the system, without unmounting or syncing filesystems 10 | echo o > /proc/sysrq-trigger 11 | -------------------------------------------------------------------------------- /initrd/bin/iommu_audit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # shopt -s nullglob 4 | echo "###########################################################################" 5 | echo -e "[+] \e[93mChecking Peripheral devices on IOMMU\e[0m" 6 | echo "---------------------------------------------------------------------------" 7 | 8 | devs=`lspci -nn|cut -d" " -f1` 9 | iommu_dev=`for d in /sys/kernel/iommu_groups/*/devices/*; do echo ${d#/*devices/} | cut -c 6-; done;` 10 | 11 | for d in $devs; do 12 | echo "$iommu_dev" | grep -q $d 13 | if [ $? -eq 0 ]; then 14 | echo -e "IOMMU group `for d2 in /sys/kernel/iommu_groups/*/devices/*; do n=${d2#*/iommu_groups/*}; echo ${d2#*/iommu_groups/*} | grep -F "$d" | cut -d"/" -f1;done;` :`lspci -nns $d` :\e[92m Pass\e[0m" 15 | else 16 | echo -e "Warning:\e[91m High risk device( `lspci -nns $d` ) has been found \e[0m, please contact your security consultant!" 17 | fi 18 | done 19 | 20 | -------------------------------------------------------------------------------- /initrd/bin/kexec-attest: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This will unseal and unecncrypt the drive encryption key from the TPM 3 | # The TOTP secret will be shown to the user on each encryption attempt. 4 | # It will then need to be bundled into initrd that is booted with Qubes. 5 | set -e -o pipefail 6 | 7 | SECRET_DIR=/tmp/secret 8 | 9 | . /etc/functions 10 | mkdir -p "$SECRET_DIR" 11 | 12 | QUOTE_PCRS="0,1,2,3,4,5,6,7" 13 | 14 | if [ -n "$attest_server" ]; then 15 | mkdir -p "$SECRET_DIR/attest" 16 | tpm2-attest attest "http://$attest_server/attest" \ 17 | | tar -xC "$SECRET_DIR/attest" \ 18 | || die "Remote attestation failed!" 19 | pcrf="/tmp/secret/pcrf.bin" 20 | # pcr 11 is expected to be zero 21 | dd if=/dev/zero bs=32 count=1 > "$pcrf" 22 | tpm2-recv -f "$SECRET_DIR/attest/rootfs.key.symkeyenc" \ 23 | "$1" \ 24 | tpm2 policypcr -l "sha256:11" -f "$pcrf" \ 25 | || die "Failed to obtain attest key!" 26 | echo "Remote attestation passed!" 27 | tpmr startsession || die "Failed to restart encrypted session!" 28 | # Override PCR 11 so that user can't read the key 29 | else 30 | die "No attestation server configured!" 31 | fi 32 | -------------------------------------------------------------------------------- /initrd/bin/kexec-iso-init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Boot from signed ISO 3 | set -e -o pipefail 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | MOUNTED_ISO_PATH="$1" 8 | ISO_PATH="$2" 9 | DEV="$3" 10 | 11 | echo '+++ Verifying ISO' 12 | # Verify the signature on the hashes 13 | ISOSIG="$MOUNTED_ISO_PATH.sig" 14 | if ! [ -r "$ISOSIG" ]; then 15 | ISOSIG="$MOUNTED_ISO_PATH.asc" 16 | fi 17 | 18 | ISO_PATH="${ISO_PATH##/}" 19 | 20 | gpgv --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" \ 21 | || die 'ISO signature failed' 22 | 23 | echo '+++ Mounting ISO and booting' 24 | mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot \ 25 | || die '$MOUNTED_ISO_PATH: Unable to mount /boot' 26 | 27 | DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2` 28 | ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH img_dev=/dev/disk/by-uuid/$DEV_UUID iso-scan/filename=/${ISO_PATH} img_loop=$ISO_PATH" 29 | REMOVE="" 30 | 31 | paramsdir="/media/kexec_iso/$ISO_PATH" 32 | check_config $paramsdir 33 | 34 | ADD_FILE=/tmp/kexec/kexec_iso_add.txt 35 | if [ -r $ADD_FILE ]; then 36 | NEW_ADD=`cat $ADD_FILE` 37 | ADD=$(eval "echo \"$NEW_ADD\"") 38 | echo "+++ Overriding standard ISO kernel add arguments: $ADD" 39 | fi 40 | REMOVE_FILE=/tmp/kexec/kexec_iso_remove.txt 41 | if [ -r $REMOVE_FILE ]; then 42 | NEW_REMOVE=`cat $REMOVE_FILE` 43 | REMOVE=$(eval "echo \"$NEW_REMOVE\"") 44 | echo "+++ Overriding standard ISO kernel remove arguments: $REMOVE" 45 | fi 46 | 47 | # Call kexec and indicate that hashes have been verified 48 | kexec-select-boot -b /boot -d /media -p "$paramsdir" \ 49 | -a "$ADD" -r "$REMOVE" -c "*.cfg" -u -i 50 | 51 | die "Something failed in selecting boot" 52 | -------------------------------------------------------------------------------- /initrd/bin/key-init: -------------------------------------------------------------------------------- 1 | #!/bin/ash 2 | set -e -o pipefail 3 | . /etc/functions 4 | 5 | # Post processing of keys 6 | 7 | # Import user's keys 8 | gpg --import /.gnupg/keys/*.key /.gnupg/keys/*.asc 2>/dev/null || true 9 | 10 | # Import trusted distro keys allowed for ISO signing 11 | gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true 12 | #Set distro keys trust level to ultimate (trust anything that was signed with these keys) 13 | gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true 14 | gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true 15 | 16 | # Add user's keys to the list of trusted keys for ISO signing 17 | gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true 18 | -------------------------------------------------------------------------------- /initrd/bin/mount-sata: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Setup the devices for SATA 3 | . /etc/functions 4 | 5 | for mod in libata libahci ahci; do 6 | if ! lsmod | grep -q "^$mod " ; then 7 | insmod "/lib/modules/$mod.ko" \ 8 | || die "$mod: Unable to load module" 9 | fi 10 | done 11 | 12 | if [ ! -z "$1" ]; then 13 | exec mount "$@" 14 | fi 15 | -------------------------------------------------------------------------------- /initrd/bin/poweroff: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Sync all mounted filesystems 4 | echo s > /proc/sysrq-trigger 5 | 6 | # Remount all mounted filesystems in read-only mode 7 | echo u > /proc/sysrq-trigger 8 | 9 | # Shut off the system 10 | echo o > /proc/sysrq-trigger 11 | -------------------------------------------------------------------------------- /initrd/bin/qubes-measure-luks: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Measure all of the luks disk encryption headers into 3 | # a PCR so that we can detect disk swap attacks. 4 | 5 | die() { echo >&2 "$@"; exit 1; } 6 | 7 | # Measure the luks headers into PCR 6 8 | for dev in "$@"; do 9 | cryptsetup luksHeaderBackup $dev \ 10 | --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') \ 11 | || die "$dev: Unable to read luks header" 12 | done 13 | 14 | sha256sum /tmp/lukshdr-* > /tmp/luksDump.txt || die "Unable to hash luks headers" 15 | rm /tmp/lukshdr-* 16 | 17 | tpmr extend -ix 6 -if /tmp/luksDump.txt \ 18 | || die "Unable to extend PCR" 19 | -------------------------------------------------------------------------------- /initrd/bin/reboot: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Sync all mounted filesystems 4 | echo s > /proc/sysrq-trigger 5 | 6 | # Remount all mounted filesystems in read-only mode 7 | echo u > /proc/sysrq-trigger 8 | 9 | # Immediately reboot the system, without unmounting or syncing filesystems 10 | echo b > /proc/sysrq-trigger 11 | -------------------------------------------------------------------------------- /initrd/bin/t430-flash.init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Initialize the USB and network device drivers, 3 | # invoke a recovery shell and prompt the user for how to proceed 4 | 5 | . /etc/functions 6 | . /tmp/config 7 | 8 | insmod /lib/modules/ehci-hcd.ko 9 | insmod /lib/modules/ehci-pci.ko 10 | insmod /lib/modules/xhci-hcd.ko 11 | insmod /lib/modules/xhci-pci.ko 12 | insmod /lib/modules/e1000e.ko 13 | insmod /lib/modules/usb-storage.ko 14 | 15 | tpm extend -ix 4 -ic recovery 16 | sleep 2 17 | 18 | echo '***** Starting recovery shell' 19 | echo '' 20 | echo 'To install from flash drive:' 21 | echo '' 22 | echo ' mount -o ro /dev/sdb1 /media' 23 | echo ' flash.sh /media/t430.rom' 24 | echo '' 25 | 26 | exec /bin/ash 27 | -------------------------------------------------------------------------------- /initrd/bin/tpm-reset: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | . /etc/functions 3 | 4 | echo '*****' 5 | echo '***** WARNING: This will erase all keys and secrets from the TPM' 6 | echo '*****' 7 | 8 | read -s -p "New TPM owner password: " key_password 9 | echo 10 | 11 | if [ -z "$key_password" ]; then 12 | die "Empty owner password is not allowed" 13 | fi 14 | 15 | read -s -p "Repeat owner password: " key_password2 16 | echo 17 | 18 | 19 | if [ "$key_password" != "$key_password2" ]; then 20 | die "Key passwords do not match" 21 | fi 22 | 23 | # Make sure the TPM is ready to be reset 24 | tpm physicalpresence -s 25 | tpm physicalenable 26 | tpm physicalsetdeactivated -c 27 | tpm forceclear 28 | tpm physicalenable 29 | tpm takeown -pwdo "$key_password" 30 | 31 | # And now turn it all back on 32 | tpm physicalpresence -s 33 | tpm physicalenable 34 | tpm physicalsetdeactivated -c 35 | -------------------------------------------------------------------------------- /initrd/bin/uefi-init: -------------------------------------------------------------------------------- 1 | #!/bin/ash 2 | set -e -o pipefail 3 | . /etc/functions 4 | 5 | # Update initrd with CBFS files 6 | if [ -z "$CONFIG_PCR" ]; then 7 | CONFIG_PCR=7 8 | fi 9 | 10 | CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572" 11 | 12 | # copy EFI file named $CONFIG_GUID to /tmp, measure and extract 13 | GUID=`uefi -l | grep "^$CONFIG_GUID"` 14 | 15 | if [ -n "GUID" ]; then 16 | echo "Loading $GUID from ROM" 17 | TMPFILE=/tmp/uefi.$$ 18 | uefi -r $GUID | gunzip -c > $TMPFILE \ 19 | || die "Failed to read config GUID from ROM" 20 | 21 | if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then 22 | tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \ 23 | || die "$filename: tpm extend failed" 24 | fi 25 | 26 | ( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \ 27 | || die "Failed to extract config GUID" 28 | fi 29 | -------------------------------------------------------------------------------- /initrd/bin/unseal-totp: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Retrieve the sealed file from the NVRAM, unseal it and compute the totp 3 | 4 | . /etc/functions 5 | 6 | TOTP_SEALED="/tmp/secret/totp.sealed" 7 | TOTP_SECRET="/tmp/secret/totp.key" 8 | if [ "$CONFIG_TPM" = "y" ]; then 9 | tpm nv_readvalue \ 10 | -in 4d47 \ 11 | -sz 312 \ 12 | -of "$TOTP_SEALED" \ 13 | || die "Unable to retrieve sealed file from TPM NV" 14 | 15 | tpm unsealfile \ 16 | -hk 40000000 \ 17 | -if "$TOTP_SEALED" \ 18 | -of "$TOTP_SECRET" \ 19 | || die "Unable to unseal totp secret" 20 | elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then 21 | tpmr unseal 0x81004d47 sha256:0,1,2,3,4,7 > "$TOTP_SECRET" 22 | fi 23 | 24 | shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null 25 | 26 | if ! totp -q < "$TOTP_SECRET"; then 27 | shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null 28 | die 'Unable to compute TOTP hash?' 29 | fi 30 | 31 | shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null 32 | exit 0 33 | -------------------------------------------------------------------------------- /initrd/bin/usb-init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Boot a USB installation 3 | 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then 8 | # Extend PCR4 as soon as possible 9 | tpmr extend -ix 4 -ic usb 10 | fi 11 | 12 | media-scan usb 13 | recovery "Something failed during USB boot" 14 | -------------------------------------------------------------------------------- /initrd/bin/wget-measure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # get a file and extend a TPM PCR 3 | 4 | die() { 5 | echo >&2 "$@" 6 | exit 1 7 | } 8 | 9 | INDEX="$1" 10 | URL="$2" 11 | 12 | if [ -z "$INDEX" -o -z "$URL" ]; then 13 | die "Usage: $0 pcr-index url" 14 | fi 15 | 16 | 17 | wget "$URL" || die "$URL: failed" 18 | 19 | FILE="`basename "$URL"`" 20 | tpmr extend -ix "$INDEX" -if "$FILE" || die "$FILE: tpm extend failed" 21 | 22 | 23 | -------------------------------------------------------------------------------- /initrd/bin/x230-flash.init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Initialize the USB and network device drivers, 3 | # invoke a recovery shell and prompt the user for how to proceed 4 | 5 | . /etc/functions 6 | . /tmp/config 7 | 8 | insmod /lib/modules/ehci-hcd.ko 9 | insmod /lib/modules/ehci-pci.ko 10 | insmod /lib/modules/xhci-hcd.ko 11 | insmod /lib/modules/xhci-pci.ko 12 | insmod /lib/modules/e1000e.ko 13 | insmod /lib/modules/usb-storage.ko 14 | 15 | tpmr extend -ix 4 -ic recovery 16 | sleep 2 17 | 18 | echo '***** Starting recovery shell' 19 | echo '' 20 | echo 'To install from flash drive:' 21 | echo '' 22 | echo ' mount -o ro /dev/sdb1 /media' 23 | echo ' flash.sh /media/x230.rom' 24 | echo '' 25 | 26 | exec /bin/ash 27 | -------------------------------------------------------------------------------- /initrd/etc/distro/keys/qubes-4.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1 3 | 4 | mQINBFi9Xv4BEADTkOlBTDmO6DsFJi754ilTFqsluGWleeProuz8Q+bHFlx0Mqtk 5 | uOUcxIjEWwxhn1qN98dIPYds+mD9Bohamdh+bJYxB/YYj9B2xvURhCpxVlWzzkzt 6 | i1lPYhj/MR637N9JqIdILmJSBFDxmnuWfQxfsbIsi4lUx5oq6HzIAYXzUzA+0/0a 7 | c/j0zAm9oBq+pXPad/xkH8ebkNAL0+HbHArBNFzrhVKmi1VskpxurPIYZEcQ0dUu 8 | n447TM/37y+dzmNYxvSuK2zBPFa9upXsKZEoVaJqksXDdX2YuMsZFiesdieL85w7 9 | sD1iI6Eqmp5EIZXa8t0/MHTaDrm1tDKJdSu/5zrh0RFh+J73qxJH8lDJqcTVggCe 10 | Xoasoi1LNg0CIgzVM+zLEDbpNd6mILdXQNHzsU4CP2UFpMxOUUDMEPYSE3WBExWX 11 | 0dBO8QgvTOzqvRWq7TL2jKaprsB/ZXiZief5hOK2QFL6HFEOuFuWLf3tb2+tpJoZ 12 | LXbXYW+6M+WNRHr9mDg3o6SuZmSwUCOa1FV/i51gqiUHmXEfIGH3iE5WWq2bvUG1 13 | dhjkzDGPL9fXbCWS6+QARakXRbxslsc4RgMrQR6nLEAuOL7GDaG3c7ldqgfotkal 14 | 5KDB5/1AxYW1TC0JfoKWalYrfXlUJlbHcvDFqHdyljOnoeJ8WVqLNE9hUQARAQAB 15 | tB5RdWJlcyBPUyBSZWxlYXNlIDQgU2lnbmluZyBLZXmJAjcEEwEIACEFAli9Xv4C 16 | GwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQGEh5L54nlem9QRAAkaDEfYey 17 | FoldssIDE/gliYYb7RSYBjs+QrYJQjBxFGXXPgHS5kGMZfMkqVVBc8EtHh41q7gU 18 | mUIHVbjnKIcYaKLaVl/qb9Jkx+6/NxEYWjNVEMMwPk820QgI1alWrweH7ZuxxGlz 19 | CzOQsyKZLH3TESEf46CUjv9FHW2nKPAp5qVMzLRlgtquQAdfh7SWau7Kd+WPQOiB 20 | 9cj+j3/yswsrpLmvqJP8trS/aKAhsn2jGrxwSAbdGCzQorJjUy5HLZ6xVIk9yD0T 21 | +o9cbK4SQSuOHUiA9Z5gA7vuxwOuloDhIm74k2PBWMaUEvx19nIh4XmgGEKNzI6V 22 | SbR+s+d9ciQ/aC/bXdeeZOpCDaty54D8sKzMi2y15Urycxwpz508LwE6I3Zm0Won 23 | xMEf5gGR30szgQdh6sJKIqZ2nVDLBg4H1mc4CULhsgViN/vM3Rrj2t4kOwUM30AU 24 | M49o4JPzY4wvhsAmhIQGl38C8wDkSqPwntRsszpbLgzI3Lsxb00xiPcLR6Y/pviH 25 | AfHxh/1uYymjD1Fq9u9ylgR6+15qqEYY/uEHr2EQyVvXQ08R1iKkT+v8fufMFUWa 26 | rJxyB+5v/RPRKvRRi9Xb1HkoiFo3E/bEPYKlGA2colp5iqFYpTUBJYJXyMosgjI+ 27 | mqH0I+V+LuMtlE521YHKg0tsB9GVlfWBS10= 28 | =QN1j 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /initrd/etc/fstab: -------------------------------------------------------------------------------- 1 | devtmpfs /dev devtmpfs defaults 0 0 2 | devpts /dev/pts devpts defaults 0 0 3 | sysfs /sys sysfs defaults 0 0 4 | proc /proc proc defaults 0 0 5 | efivarfs /sys/firmware/efi/efivars efivarfs defaults 0 0 6 | securityfs /sys/kernel/security securityfs defaults 0 0 7 | -------------------------------------------------------------------------------- /initrd/etc/group: -------------------------------------------------------------------------------- 1 | root:x:0: 2 | -------------------------------------------------------------------------------- /initrd/etc/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | -------------------------------------------------------------------------------- /initrd/etc/motd: -------------------------------------------------------------------------------- 1 | _ _ _ 2 | | | | | ___ __ _ __| |___ 3 | | |_| |/ _ \/ _` |/ _` / __| 4 | | _ | __/ (_| | (_| \__ \ 5 | |_| |_|\___|\__,_|\__,_|___/ 6 | 7 | -------------------------------------------------------------------------------- /initrd/etc/mtab: -------------------------------------------------------------------------------- 1 | ../proc/self/mounts -------------------------------------------------------------------------------- /initrd/etc/passwd: -------------------------------------------------------------------------------- 1 | root:x:0:0:root:/:/bin/ash 2 | -------------------------------------------------------------------------------- /initrd/etc/shells: -------------------------------------------------------------------------------- 1 | /bin/sh 2 | /bin/ash 3 | /bin/bash 4 | -------------------------------------------------------------------------------- /initrd/mount-boot: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Extract the GPG signed dmsetup configuration from 3 | # the header of the file system, validate it against 4 | # the trusted key database, and execute it to mount 5 | # the /boot filesystem 6 | 7 | dev="$1" 8 | offset="$2" 9 | 10 | cmd=/tmp/mount-boot 11 | cmd_sig="$cmd.asc" 12 | 13 | if [ -z "$dev" ]; then 14 | dev=/dev/sda 15 | fi 16 | 17 | if [ -z "$offset" ]; then 18 | offset=256 19 | fi 20 | 21 | # 22 | # Find the size of the device 23 | # Is there a better way? 24 | # 25 | dev_size_file="/sys/class/block/`basename $dev`/size" 26 | if [ ! -r "$dev_size_file" ]; then 27 | echo >&2 '!!!!!' 28 | echo >&2 '!!!!! $dev file $dev_size_file not found' 29 | echo >&2 '!!!!! Dropping to recovery shell' 30 | echo >&2 '!!!!!' 31 | exit -1 32 | fi 33 | 34 | dev_blocks=`cat "$dev_size_file"` 35 | 36 | # 37 | # Extract the signed file from the hard disk image 38 | # 39 | if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then 40 | echo >&2 '!!!!!' 41 | echo >&2 '!!!!! Boot block extraction failed' 42 | echo >&2 '!!!!! Dropping to recovery shell' 43 | echo >&2 '!!!!!' 44 | exit -1 45 | fi 46 | 47 | # 48 | # Validate the file 49 | # 50 | if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then 51 | echo >&2 '!!!!!' 52 | echo >&2 '!!!!! GPG signature on block failed' 53 | echo >&2 '!!!!! Dropping to recovery shell' 54 | echo >&2 '!!!!!' 55 | exit -1 56 | fi 57 | 58 | # 59 | # Strip the PGP signature off the file 60 | # (too bad gpgv doesn't do this) 61 | # 62 | awk < "$cmd_sig" > "$cmd" ' 63 | /BEGIN PGP SIGNATURE/ { exit }; 64 | do_print {print}; 65 | /^$/ { do_print=1 }; 66 | ' 67 | 68 | # 69 | # And execute it! 70 | # 71 | sh -x "$cmd" 72 | -------------------------------------------------------------------------------- /initrd/run/cryptsetup/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hardenedvault/vaultboot/467f13795a77095ea4816076bfa8f0f4db888565/initrd/run/cryptsetup/.placeholder -------------------------------------------------------------------------------- /initrd/sbin/config-dhcp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # udhcpc script 4 | 5 | [ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1 6 | 7 | RESOLV_CONF="/etc/resolv.conf" 8 | [ -n "$broadcast" ] && BROADCAST="broadcast $broadcast" 9 | [ -n "$subnet" ] && NETMASK="netmask $subnet" 10 | 11 | case "$1" in 12 | deconfig) 13 | grep -q -v ip= /proc/cmdline 14 | if [ $? -eq 0 ]; then 15 | /sbin/ifconfig $interface up 16 | fi 17 | grep -q -v nfsroot= /proc/cmdline 18 | if [ $? -eq 0 ]; then 19 | /sbin/ifconfig $interface 0.0.0.0 20 | fi 21 | ;; 22 | 23 | renew|bound) 24 | /sbin/ifconfig $interface $ip $BROADCAST $NETMASK 25 | 26 | if [ -n "$router" ] ; then 27 | echo "deleting routers" 28 | while route del default gw 0.0.0.0 dev $interface ; do 29 | : 30 | done 31 | 32 | for i in $router ; do 33 | route add default gw $i dev $interface 34 | done 35 | fi 36 | 37 | echo -n > $RESOLV_CONF 38 | [ -n "$domain" ] && echo search $domain >> $RESOLV_CONF 39 | for i in $dns ; do 40 | echo adding dns $i 41 | echo nameserver $i >> $RESOLV_CONF 42 | done 43 | ;; 44 | esac 45 | 46 | exit 0 47 | -------------------------------------------------------------------------------- /initrd/sbin/insmod: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # extend a TPM PCR with a module and then load it 3 | # any arguments will also be measured. 4 | # The default PCR to be extended is 5, but can be 5 | # overridden with the MODULE_PCR environment variable 6 | 7 | die() { 8 | echo >&2 "$@" 9 | exit 1 10 | } 11 | 12 | MODULE="$1"; shift 13 | 14 | if [ -z "$MODULE_PCR" ]; then 15 | MODULE_PCR=5 16 | fi 17 | 18 | 19 | if [ -z "$MODULE" ]; then 20 | die "Usage: $0 module [args...]" 21 | fi 22 | 23 | if [ ! -r "$MODULE" ]; then 24 | die "$MODULE: not found?" 25 | fi 26 | 27 | if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then 28 | if [ ! -c /dev/tpmrm0 -o ! -x /bin/tpm2 ]; then 29 | tpm_missing=1 30 | fi 31 | fi 32 | 33 | if [ -z "$tpm_missing" ]; then 34 | tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ 35 | || die "$MODULE: tpm extend failed" 36 | fi 37 | 38 | if [ ! -z "$*" -a -z "$tpm_missing" ]; then 39 | TMPFILE=/tmp/insmod.$$ 40 | echo "$@" > $TMPFILE 41 | tpmr extend -ix "$MODULE_PCR" -if $TMPFILE \ 42 | || die "$MODULE: tpm extend on arguments failed" 43 | fi 44 | 45 | # Since we have replaced the real insmod, we must invoke 46 | # the busybox insmod via the original executable 47 | busybox insmod "$MODULE" "$@" \ 48 | || die "$MODULE: insmod failed" 49 | -------------------------------------------------------------------------------- /install/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /modules/attest-tools: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_ATTEST_TOOLS) += attest-tools 2 | 3 | attest-tools_depends := bash tpm2-tools curl vim-xxd 4 | attest-tools_version := git 5 | attest-tools_repo := https://github.com/hardenedvault/v-attest 6 | attest-tools_dir := attest-tools_$(attest-tools_version) 7 | 8 | ifeq "$(CONFIG_ATTEST_TOOLS)" "y" 9 | initrd_bins += $(initrd_tmp_dir)/bin/tpm2-attest 10 | endif 11 | 12 | # We do not need to invoke the Makefile 13 | attest-tools_target := -q || true 14 | 15 | $(initrd_tmp_dir)/bin/tpm2-attest: $(build)/$(attest-tools_dir)/.build 16 | install -Dm 755 \ 17 | $(build)/$(attest-tools_dir)/sbin/tpm2-attest \ 18 | $(initrd_tmp_dir)/bin/tpm2-attest 19 | install -Dm 755 \ 20 | $(build)/$(attest-tools_dir)/sbin/tpm2-recv \ 21 | $(initrd_tmp_dir)/bin/tpm2-recv 22 | install -Dm 644 \ 23 | $(build)/$(attest-tools_dir)/functions.sh \ 24 | $(initrd_tmp_dir)/functions.sh 25 | install -Dm 644 \ 26 | $(build)/$(attest-tools_dir)/env.sh \ 27 | $(initrd_tmp_dir)/env.sh 28 | 29 | -------------------------------------------------------------------------------- /modules/bash: -------------------------------------------------------------------------------- 1 | # GNU bash 2 | modules-$(CONFIG_BASH) += bash 3 | 4 | bash_version := 5.2.37 5 | bash_dir := bash-$(bash_version) 6 | bash_tar := bash-$(bash_version).tar.gz 7 | bash_url := https://ftpmirror.gnu.org/bash/$(bash_tar) 8 | bash_hash := 9599b22ecd1d5787ad7d3b7bf0c59f312b3396d1e281175dd1f8a4014da621ff 9 | 10 | # --enable-debugger: Enables BASH_SOURCE tracing through functions as well as 11 | # BASH_ARGV/BASH_ARGC. (Otherwise BASH_SOURCE[0] is empty when calling a 12 | # function, it's only set in top level script code.) 13 | bash_configure := CFLAGS="-g0 -Os" LDFLAGS="-s" ./configure \ 14 | $(CROSS_TOOLS) \ 15 | --host $(target) \ 16 | --prefix="/usr" \ 17 | --infodir=/usr/share/info \ 18 | --mandir=/usr/share/man \ 19 | --disable-coprocesses \ 20 | --disable-net-redirections \ 21 | --disable-nls \ 22 | --enable-debugger \ 23 | --enable-largefile \ 24 | --enable-readline \ 25 | --enable-single-help-strings \ 26 | --without-bash-malloc 27 | 28 | bash_target := $(MAKE_JOBS) \ 29 | && $(MAKE) -C $(build)/$(bash_dir) \ 30 | DESTDIR="$(INSTALL)" \ 31 | install \ 32 | 33 | ifeq "$(CONFIG_BASH)" "y" 34 | initrd_bins += $(initrd_tmp_dir)/bin/bash 35 | endif 36 | 37 | $(build)/$(bash_dir)/bash: $(build)/$(bash_dir)/.build 38 | 39 | # Replace /bin/bash linked to busybox 40 | $(initrd_tmp_dir)/bin/bash: $(build)/$(bash_dir)/bash $(initrd_tmp_dir)/bin/busybox 41 | install -Dm 755 "$<" "$@" 42 | $(CROSS)strip --preserve-dates "$@" 2>&- 43 | 44 | # Force bash built after busybox 45 | bash_depends := $(musl_dep) busybox 46 | -------------------------------------------------------------------------------- /modules/busybox: -------------------------------------------------------------------------------- 1 | # Busybox is always included, unless explicitly turned off 2 | CONFIG_BUSYBOX ?= y 3 | modules-$(CONFIG_BUSYBOX) += busybox 4 | 5 | busybox_version := 1.33.2 6 | busybox_dir := busybox-$(busybox_version) 7 | busybox_tar := busybox-$(busybox_version).tar.bz2 8 | busybox_url := https://busybox.net/downloads/$(busybox_tar) 9 | busybox_hash := 6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7 10 | 11 | busybox_configure := $(MAKE) CC="$(heads_cc)" oldconfig 12 | busybox_config := config/busybox.config 13 | busybox_output := busybox 14 | busybox_target := \ 15 | $(CROSS_TOOLS) \ 16 | $(MAKE_JOBS) \ 17 | 18 | # Install symlinks when the busybox program is installed 19 | 20 | ifeq "$(CONFIG_BUSYBOX)" "y" 21 | initrd_bins += $(initrd_bin_dir)/busybox 22 | endif 23 | 24 | $(initrd_tmp_dir)/bin/busybox: $(build)/$(busybox_dir)/.build 25 | $(call do,SYMLINK,bin/busybox,\ 26 | $(MAKE) \ 27 | -C $(build)/$(busybox_dir) \ 28 | CC="$(heads_cc)" \ 29 | CROSS_COMPILE="$(CROSS)" \ 30 | CONFIG_PREFIX="$(initrd_bin_dir)/.." \ 31 | install \ 32 | | tee -a $(build)/log/busybox.log \ 33 | $(VERBOSE_REDIRECT) \ 34 | ) 35 | @touch $< # ensure that our build file is still newer 36 | 37 | 38 | busybox_depends := $(musl_dep) 39 | -------------------------------------------------------------------------------- /modules/cairo: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += cairo 2 | 3 | cairo_version := 1.14.12 4 | cairo_dir := cairo-$(cairo_version) 5 | cairo_tar := cairo-$(cairo_version).tar.xz 6 | cairo_url := https://www.cairographics.org/releases/$(cairo_tar) 7 | cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16 8 | 9 | cairo_configure := \ 10 | CFLAGS="-DCAIRO_NO_MUTEX=1 -Os" \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --host $(host) \ 14 | --prefix="/" \ 15 | --disable-xlib --disable-xcb --disable-pdf \ 16 | --disable-ps --disable-svg --disable-script \ 17 | --disable-ft --disable-fc --disable-pthread \ 18 | --disable-gobject \ 19 | && sed \ 20 | -e 's/^hardcode_libdir_flag_spec.*/hardcode_libdir_flag_spec=" -D__LIBTOOL_RPATH_DISABLE__ "/' \ 21 | < libtool \ 22 | > libtool-2 \ 23 | && mv libtool-2 libtool \ 24 | && chmod 755 libtool 25 | 26 | cairo_target := \ 27 | $(MAKE_JOBS) \ 28 | $(CROSS_TOOLS) \ 29 | DESTDIR="$(INSTALL)" \ 30 | install 31 | 32 | cairo_libraries := src/.libs/libcairo.so.2 33 | 34 | cairo_depends := pixman $(musl_dep) 35 | -------------------------------------------------------------------------------- /modules/coreboot-blobs: -------------------------------------------------------------------------------- 1 | # empty placeholder file 2 | # This submodule is defined in modules/coreboot if necessary 3 | -------------------------------------------------------------------------------- /modules/cryptsetup: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP) += cryptsetup 2 | 3 | cryptsetup_depends := util-linux popt lvm2 $(musl_dep) 4 | 5 | cryptsetup_version := 1.7.3 6 | cryptsetup_dir := cryptsetup-$(cryptsetup_version) 7 | cryptsetup_tar := cryptsetup-$(cryptsetup_version).tar.xz 8 | cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-$(cryptsetup_version).tar.xz 9 | cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6adc02 10 | 11 | # Use an empty prefix so that the executables will not include the 12 | # build path. 13 | cryptsetup_configure := \ 14 | $(CROSS_TOOLS) \ 15 | CFLAGS="-Os" \ 16 | ./configure \ 17 | --host $(host) \ 18 | --target $(target) \ 19 | --prefix "/" \ 20 | --disable-gcrypt-pbkdf2 \ 21 | --enable-cryptsetup-reencrypt \ 22 | --with-crypto_backend=kernel \ 23 | 24 | # but after building, replace prefix so that they will be installed 25 | # in the correct directory. 26 | cryptsetup_target := \ 27 | $(MAKE_JOBS) \ 28 | && $(MAKE) \ 29 | -C $(build)/$(cryptsetup_dir) \ 30 | prefix="$(INSTALL)" \ 31 | install 32 | 33 | cryptsetup_output := \ 34 | src/.libs/cryptsetup \ 35 | src/.libs/cryptsetup-reencrypt \ 36 | src/.libs/veritysetup \ 37 | 38 | cryptsetup_libraries := \ 39 | lib/.libs/libcryptsetup.so.4 \ 40 | 41 | -------------------------------------------------------------------------------- /modules/cryptsetup2: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2 2 | 3 | cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep) 4 | 5 | cryptsetup2_version := 2.6.1 6 | cryptsetup2_dir := cryptsetup-$(cryptsetup2_version) 7 | cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz 8 | cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz 9 | cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693 10 | 11 | 12 | # Use an empty prefix so that the executables will not include the 13 | # build path. 14 | cryptsetup2_configure := \ 15 | $(CROSS_TOOLS) \ 16 | CFLAGS="-Os" \ 17 | ./configure \ 18 | --host $(host) \ 19 | --target $(target) \ 20 | --prefix "/" \ 21 | --enable-internal-sse-argon2 \ 22 | --disable-rpath \ 23 | --disable-gcrypt-pbkdf2 \ 24 | --disable-ssh-token \ 25 | --disable-asciidoc \ 26 | --disable-nls \ 27 | --disable-selinux \ 28 | --disable-udev \ 29 | --disable-external-tokens \ 30 | --with-crypto_backend=kernel \ 31 | --with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d 32 | 33 | # but after building, replace prefix so that they will be installed 34 | # in the correct directory. 35 | cryptsetup2_target := \ 36 | $(MAKE_JOBS) \ 37 | && $(MAKE) \ 38 | -C $(build)/$(cryptsetup2_dir) \ 39 | prefix="$(INSTALL)" \ 40 | install 41 | 42 | cryptsetup2_output := \ 43 | .libs/cryptsetup \ 44 | .libs/veritysetup \ 45 | 46 | cryptsetup2_libraries := \ 47 | .libs/libcryptsetup.so.12 \ 48 | 49 | -------------------------------------------------------------------------------- /modules/dropbear: -------------------------------------------------------------------------------- 1 | # dropbear is a tiny ssh client 2 | modules-$(CONFIG_DROPBEAR) += dropbear 3 | 4 | dropbear_version := 2016.74 5 | dropbear_dir := dropbear-$(dropbear_version) 6 | dropbear_tar := dropbear-$(dropbear_version).tar.bz2 7 | dropbear_url := https://matt.ucc.asn.au/dropbear/releases/$(dropbear_tar) 8 | dropbear_hash := 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891 9 | 10 | dropbear_configure := ./configure \ 11 | $(CROSS_TOOLS) \ 12 | --host $(host) \ 13 | --prefix "/" \ 14 | --disable-syslog \ 15 | --disable-lastlog \ 16 | --disable-utmp \ 17 | --disable-utmpx \ 18 | --disable-wtmp \ 19 | --disable-wtmpx \ 20 | 21 | dropbear_output := ssh scp dropbear 22 | dropbear_target := \ 23 | $(MAKE_JOBS) \ 24 | $(CROSS_TOOLS) \ 25 | DESTDIR="$(INSTALL)" \ 26 | dbclient scp dropbear \ 27 | && \ 28 | cp -a $(build)/$(dropbear_dir)/dbclient $(build)/$(dropbear_dir)/ssh 29 | 30 | dropbear_depends := zlib $(musl_dep) 31 | -------------------------------------------------------------------------------- /modules/fbwhiptail: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail 2 | 3 | fbwhiptail_depends := cairo $(musl_dep) 4 | 5 | fbwhiptail_version := 0f14a409735b71c219e0b9b3ee63cdae709ba143 6 | fbwhiptail_dir := fbwhiptail-$(fbwhiptail_version) 7 | fbwhiptail_tar := fbwhiptail-$(fbwhiptail_version).tar.gz 8 | fbwhiptail_url := https://source.puri.sm/coreboot/fbwhiptail/-/archive/$(fbwhiptail_version)/fbwhiptail-$(fbwhiptail_version).tar.gz 9 | fbwhiptail_hash := d664cad8a5bd5354258809a642b717c46c5b7b9e797c6275b9d6494986ad0f15 10 | 11 | fbwhiptail_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | fbwhiptail 15 | 16 | fbwhiptail_output := \ 17 | fbwhiptail whiptail 18 | -------------------------------------------------------------------------------- /modules/flashrom: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FLASHROM) += flashrom 2 | 3 | flashrom_depends := pciutils $(musl_dep) 4 | 5 | flashrom_version := 1.5.1 6 | flashrom_dir := flashrom-$(flashrom_version) 7 | flashrom_tar := $(flashrom_dir).tar.gz 8 | flashrom_url := https://github.com/flashrom/flashrom/archive/refs/tags/v$(flashrom_version).tar.gz 9 | flashrom_hash := 3f4dc7878e962e165b7eba73104d4e61231f9d4e838eb47df6ca3d87060a2aa5 10 | 11 | flashrom_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | WARNERROR=no \ 15 | CONFIG_NOTHING=yes \ 16 | CONFIG_INTERNAL=yes \ 17 | CONFIG_INTERNAL_X86=yes 18 | CONFIG_DUMMY=yes \ 19 | CONFIG_AST1100=yes \ 20 | 21 | ifeq "$(CONFIG_TARGET_ARCH)" "ppc64" 22 | flashrom_cfg := \ 23 | WARNERROR=no \ 24 | CONFIG_NOTHING=yes \ 25 | CONFIG_LINUX_MTD=yes 26 | endif 27 | 28 | #Only enable AST1100 if requested per board configs 29 | ifeq "$(CONFIG_FLASHROM_AST1100)" "y" 30 | flashrom_cfg += CONFIG_AST1100=yes 31 | endif 32 | 33 | flashrom_target := \ 34 | $(MAKE_JOBS) \ 35 | CFLAGS="-Os -I$(INSTALL)/include/pci" \ 36 | DESTDIR="$(INSTALL)" \ 37 | INSTALL="$(INSTALL)" \ 38 | LDFLAGS="-L$(INSTALL)/lib" \ 39 | PREFIX="$(INSTALL)" \ 40 | $(CROSS_TOOLS) \ 41 | $(flashrom_cfg) \ 42 | flashrom 43 | 44 | flashrom_output := \ 45 | flashrom 46 | 47 | flashrom_libraries := \ 48 | 49 | flashrom_configure := 50 | -------------------------------------------------------------------------------- /modules/flashtools: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FLASHTOOLS) += flashtools 2 | 3 | flashtools_depends := $(musl_dep) 4 | 5 | flashtools_version := 40d5170e84a3822552df7a500cd00aa870fdfe76 6 | flashtools_dir := flashtools-$(flashtools_version) 7 | flashtools_tar := flashtools-$(flashtools_version).tar.gz 8 | flashtools_url := https://github.com/osresearch/flashtools/archive/$(flashtools_version).tar.gz 9 | flashtools_hash := dca7f4fd129509bdcbf5e4646905d6dd82e91061d7faf62bbe7193c31bb7cd4c 10 | 11 | flashtools_target := \ 12 | $(CROSS_TOOLS) \ 13 | $(MAKE_JOBS) \ 14 | CFLAGS="-Os -I$(INSTALL)/include" \ 15 | LDFLAGS="-L$(INSTALL)/lib" \ 16 | 17 | flashtools_output := \ 18 | flashtool \ 19 | peek \ 20 | poke \ 21 | cbfs \ 22 | uefi \ 23 | 24 | flashtools_libraries := \ 25 | 26 | flashtools_configure := 27 | -------------------------------------------------------------------------------- /modules/frotz: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FROTZ) += frotz 2 | 3 | frotz_version := 2.44 4 | frotz_dir := frotz-$(frotz_version) 5 | frotz_tar := frotz-$(frotz_version).tar.gz 6 | frotz_url := https://github.com/DavidGriffith/frotz/archive/$(frotz_version).tar.gz 7 | frotz_hash := dbb5eb3bc95275dcb984c4bdbaea58bc1f1b085b20092ce6e86d9f0bf3ba858f 8 | 9 | frotz_configure := touch .config 10 | 11 | frotz_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | dumb && \ 15 | mv $(build)/$(frotz_dir)/dfrotz $(build)/$(frotz_dir)/frotz 16 | 17 | frotz_output := frotz 18 | 19 | frotz_depends := $(musl_dep) 20 | -------------------------------------------------------------------------------- /modules/gawk: -------------------------------------------------------------------------------- 1 | # This is not added to the module list since it is a special case 2 | # of things that need to be built for the host system, instead of the 3 | # target platform. 4 | #modules += gawk 5 | 6 | gawk_version := 4.2.1 7 | gawk_dir := gawk-$(gawk_version) 8 | gawk_tar := gawk-$(gawk_version).tar.xz 9 | 10 | gawk_url := http://gnu.mirror.constant.com/gawk/$(gawk_tar) 11 | gawk_hash := d1119785e746d46a8209d28b2de404a57f983aa48670f4e225531d3bdc175551 12 | 13 | # This is built for the local machine, not the target, so it doesn't have any 14 | # of the build instructions. 15 | -------------------------------------------------------------------------------- /modules/gpg: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG) += gpg 2 | 3 | # we install gpgv 1.4, which is an older version that has fewer 4 | # dependencies. This may need to be revisted later. 5 | gpg_version := 1.4.21 6 | gpg_dir := gnupg-$(gpg_version) 7 | gpg_tar := gnupg-$(gpg_version).tar.bz2 8 | gpg_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg_tar) 9 | gpg_hash := 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 10 | 11 | # For reproducibility reasons we have to override the exec_prefix 12 | # and datarootdir on the configure line so that the Makefiles will 13 | # be generated with the correct paths, but then re-write them when 14 | # we use the install target so that they will be copied to the correct 15 | # location. 16 | # 17 | # Force a different host/build setting so that it detects a cross compile. 18 | # Otherwise it wil try to run tests. 19 | # 20 | gpg_configure := \ 21 | CFLAGS="-Os" \ 22 | $(CROSS_TOOLS) \ 23 | ./configure \ 24 | --host $(host) \ 25 | --target $(target) \ 26 | --with-libusb="$(INSTALL)" \ 27 | --prefix "/" \ 28 | --enable-card-support \ 29 | --disable-bzip2 \ 30 | --disable-asm \ 31 | --disable-exec \ 32 | --disable-photo-viewers \ 33 | --disable-keyserver-helpers \ 34 | --disable-ldap \ 35 | --disable-hkp \ 36 | --disable-finger \ 37 | --disable-dns-srv \ 38 | --disable-dns-cert \ 39 | --disable-regex \ 40 | 41 | # Run one build to generate the executables with the pre-defined 42 | # exec_prefix and datarootdir, then a second make to install the binaries 43 | # into our actual target location 44 | gpg_target := $(MAKE_JOBS) \ 45 | && $(MAKE) -C $(build)/$(gpg_dir) \ 46 | DESTDIR="$(INSTALL)" \ 47 | install 48 | 49 | gpg_output := g10/gpg 50 | 51 | gpg_depends := libusb-compat $(musl_dep) 52 | -------------------------------------------------------------------------------- /modules/hidapi: -------------------------------------------------------------------------------- 1 | # empty placeholder file 2 | # This submodule is defined in modules/hotp-verification 3 | -------------------------------------------------------------------------------- /modules/hotp-verification: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_HOTPKEY) += hotp-verification 2 | 3 | hotp-verification_depends := libusb $(musl_dep) 4 | 5 | hotp-verification_version := b2b924eabd4d713f73bfaa298cc4c759421caf8f 6 | hotp-verification_dir := hotp-verification-$(hotp-verification_version) 7 | hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz 8 | hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz 9 | hotp-verification_hash := 424d3e0b0d35d3d9ce16d68fae7d19f23bc0d4317f5ccc879c04e18c3f9bdfc1 10 | 11 | hotp-verification_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | 15 | hotp-verification_output := \ 16 | hotp_verification \ 17 | hotp_initialize 18 | 19 | hotp-verification_configure := \ 20 | INSTALL="$(INSTALL)" \ 21 | CROSS="$(CROSS)" \ 22 | $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)" 23 | 24 | hotp-verification_depends += hidapi 25 | modules-y += hidapi 26 | 27 | hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 28 | hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi 29 | hidapi_tar := hidapi-$(hidapi_version).tar.xz 30 | hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz 31 | hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 32 | 33 | 34 | ## hidapi will be built as part of hotp-verification 35 | ## so nothing to do here (but need make to be happy) 36 | hidapi_output := .built 37 | hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile 38 | -------------------------------------------------------------------------------- /modules/io386: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_IO386) += io386 2 | 3 | io386_depends := $(musl_dep) 4 | 5 | io386_version := git 6 | io386_repo := https://github.com/hardenedlinux/io386 7 | io386_dir := io386-$(io386_version) 8 | 9 | io386_target := \ 10 | $(MAKE_JOBS) \ 11 | $(CROSS_TOOLS) \ 12 | SHARED=yes \ 13 | PREFIX="/" \ 14 | && \ 15 | $(MAKE) \ 16 | -C $(build)/$(io386_dir) \ 17 | $(CROSS_TOOLS) \ 18 | SHARED=yes \ 19 | PREFIX="/" \ 20 | DESTDIR="$(INSTALL)" \ 21 | install \ 22 | 23 | io386_output := \ 24 | io386 25 | 26 | io386_libraries := 27 | 28 | io386_configure := 29 | -------------------------------------------------------------------------------- /modules/ioport: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_IOPORT) += ioport 2 | 3 | ioport_version := 1.2.orig 4 | ioport_dir := ioport-$(ioport_version) 5 | ioport_tar := ioport_$(ioport_version).tar.gz 6 | ioport_url := http://deb.debian.org/debian/pool/main/i/ioport/$(ioport_tar) 7 | ioport_hash := 7fac1c4b61eb9411275de0e1e7d7a8c3f34166f64f16413f50741e8fce2b8dc0 8 | 9 | ioport_configure := CFLAGS=-Os ./configure \ 10 | $(CROSS_TOOLS) \ 11 | --prefix "/" \ 12 | --host $(host) \ 13 | --target $(target) \ 14 | 15 | ioport_target := \ 16 | $(MAKE_JOBS) $(CROSS_TOOLS) inb && \ 17 | $(MAKE) -C "$(build)/$(ioport_dir)" all-local 18 | 19 | ioport_output := \ 20 | inb \ 21 | outb 22 | 23 | ioport_depends := $(musl_dep) 24 | -------------------------------------------------------------------------------- /modules/json-c: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP2) += json-c 2 | 3 | json-c_version := 0.14 4 | json-c_dir := json-c-$(json-c_version) 5 | json-c_tar := json-c-$(json-c_version).tar.gz 6 | json-c_url := https://s3.amazonaws.com/json-c_releases/releases/json-c-$(json-c_version)-nodoc.tar.gz 7 | json-c_hash := 99914e644a25201d82ccefa20430f7515c110923360f9ef46755527c02412afa 8 | 9 | # there is a bug in cmake-configure so that it can not be used with a "=", fxed in next 10 | # release though (then it needs to read '--prefix="$(INSTALL)"' here instead 11 | define toolchain_file = 12 | set\(CMAKE_SYSTEM_NAME Linux\)\n\ 13 | set\(CMAKE_SYSROOT $(INSTALL)\)\n\ 14 | set\(CMAKE_C_COMPILER $(CROSS)gcc\)\n\ 15 | set\(CMAKE_AR $(CROSS)ar\)\n\ 16 | set\(CMAKE_LINKER $(CROSS)ld\)\n\ 17 | set\(CMAKE_NM $(CROSS)nm\)\n\ 18 | set\(CMAKE_OBJCOPY $(CROSS)objcopy\)\n\ 19 | set\(CMAKE_OBJDUMP $(CROSS)objdump\)\n\ 20 | set\(INSTALL_PKGCONFIG_DIR $(INSTALL)/lib/pkgconfig\)\n\ 21 | set\(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER\)\n\ 22 | set\(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY\)\n\ 23 | set\(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY\)\n\ 24 | set\(CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY\) 25 | endef 26 | 27 | json-c_configure := \ 28 | echo -e "$(toolchain_file)" | sed 's/\\//g' > toolchain && \ 29 | mkdir -p build && \ 30 | cd build && \ 31 | cmake .. -DCMAKE_INSTALL_PREFIX="$(INSTALL)" -DCMAKE_TOOLCHAIN_FILE=../toolchain -DCMAKE_BUILD_TYPE=minsizerel 32 | 33 | json-c_target := \ 34 | $(CROSS_TOOLS) $(MAKE_JOBS) -C $(build)/$(json-c_dir)/build \ 35 | all install 36 | 37 | json-c_libraries := build/libjson-c.so.5 38 | -------------------------------------------------------------------------------- /modules/kexec: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_KEXEC) += kexec 2 | 3 | kexec_version := 2.0.22 4 | kexec_dir := kexec-tools-$(kexec_version) 5 | kexec_tar := kexec-tools-$(kexec_version).tar.gz 6 | kexec_url := https://kernel.org/pub/linux/utils/kernel/kexec/$(kexec_tar) 7 | kexec_hash := 40623d4321be2865ef9ea2cd6ec998d31dcf93d0f74353cbd3aa06d8821e3e41 8 | 9 | kexec_configure := \ 10 | CFLAGS="-g -Os -fno-strict-aliasing -Wall -Wstrict-prototypes" \ 11 | ./configure \ 12 | $(CROSS_TOOLS) \ 13 | --host $(host) \ 14 | --target $(arch) \ 15 | --prefix="/" \ 16 | --without-lzma \ 17 | && $(MAKE) clean 18 | 19 | kexec_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | DESTDIR="$(INSTALL)" \ 23 | install \ 24 | 25 | kexec_output := build/sbin/kexec 26 | 27 | kexec_depends := zlib $(musl_dep) 28 | -------------------------------------------------------------------------------- /modules/libaio: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_LVM2) += libaio 2 | 3 | libaio_version := 0.3.113 4 | libaio_dir := libaio-$(libaio_version) 5 | libaio_tar := libaio_$(libaio_version).orig.tar.gz 6 | libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar) 7 | libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b 8 | 9 | libaio_target := \ 10 | DESTDIR="$(INSTALL)" \ 11 | prefix="/" \ 12 | $(CROSS_TOOLS) \ 13 | install \ 14 | && mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \ 15 | 16 | libaio_libraries:= src/libaio.so.1 17 | 18 | libaio_depends := $(musl_dep) 19 | 20 | -------------------------------------------------------------------------------- /modules/libassuan: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libassuan 2 | 3 | libassuan_version := 2.5.6 4 | libassuan_dir := libassuan-$(libassuan_version) 5 | libassuan_tar := libassuan-$(libassuan_version).tar.bz2 6 | libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) 7 | libassuan_hash := e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426 8 | 9 | libassuan_configure := \ 10 | CFLAGS="-Os" \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --host $(host) \ 14 | --target $(target) \ 15 | --prefix "/" \ 16 | --disable-static \ 17 | --with-libgpg-error-prefix="$(INSTALL)" \ 18 | 19 | libassuan_target := $(MAKE_JOBS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | $(CROSS_TOOLS) \ 22 | install \ 23 | 24 | libassuan_libraries := src/.libs/libassuan.so.0 25 | 26 | libassuan_depends := libgpg-error $(musl_dep) 27 | -------------------------------------------------------------------------------- /modules/libgcrypt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libgcrypt 2 | 3 | libgcrypt_version := 1.10.2 4 | libgcrypt_dir := libgcrypt-$(libgcrypt_version) 5 | libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 6 | libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) 7 | libgcrypt_hash := 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03 8 | 9 | libgcrypt_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host=$(host) \ 14 | --target=$(target) \ 15 | --prefix "/" \ 16 | --disable-static \ 17 | --with-libgpg-error-prefix="$(INSTALL)" \ 18 | 19 | libgcrypt_target := $(MAKE_JOBS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | $(CROSS_TOOLS) \ 22 | install \ 23 | 24 | libgcrypt_libraries := src/.libs/libgcrypt.so.20 25 | 26 | libgcrypt_depends := libgpg-error $(musl_dep) 27 | -------------------------------------------------------------------------------- /modules/libgpg-error: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libgpg-error 2 | 3 | libgpg-error_version := 1.47 4 | libgpg-error_dir := libgpg-error-$(libgpg-error_version) 5 | libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 6 | libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) 7 | libgpg-error_hash := 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb 8 | 9 | libgpg-error_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --prefix "/" \ 14 | --host=$(host) \ 15 | --target=$(target) \ 16 | --disable-static \ 17 | --disable-nls \ 18 | --disable-languages \ 19 | --disable-doc \ 20 | --disable-tests \ 21 | --enable-install-gpg-error-config \ 22 | 23 | libgpg-error_target := $(MAKE_JOBS) \ 24 | DESTDIR="$(INSTALL)" \ 25 | $(CROSS_TOOLS) \ 26 | install \ 27 | 28 | libgpg-error_libraries := src/.libs/libgpg-error.so.0 29 | 30 | libgpg-error_depends := $(musl_dep) 31 | -------------------------------------------------------------------------------- /modules/libhidapi-libusb: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NKSTORECLI) += libhidapi-libusb 2 | 3 | libhidapi-libusb_depends += libusb 4 | 5 | libhidapi-libusb_version := 0.9.0 6 | libhidapi-libusb_dir := hidapi-hidapi-$(libhidapi-libusb_version) 7 | libhidapi-libusb_tar := hidapi-$(libhidapi-libusb_version).tar.gz 8 | libhidapi-libusb_url := https://github.com/libusb/hidapi/archive/$(libhidapi-libusb_tar) 9 | libhidapi-libusb_hash := 630ee1834bdd5c5761ab079fd04f463a89585df8fcae51a7bfe4229b1e02a652 10 | 11 | MY_CROSS_TOOLS := \ 12 | CC="$(heads_cc) -Os" \ 13 | $(CROSS_TOOLS_NOCC) \ 14 | 15 | 16 | libhidapi-libusb_configure := ./bootstrap && \ 17 | ./configure \ 18 | $(MY_CROSS_TOOLS) \ 19 | --host $(host) \ 20 | --prefix "/" 21 | 22 | 23 | libhidapi-libusb_target := $(MAKE_JOBS) -C libusb \ 24 | DESTDIR="$(INSTALL)" \ 25 | $(MY_CROSS_TOOLS) \ 26 | install && \ 27 | cp $(INSTALL)/../build/$(libhidapi-libusb_dir)/pc/hidapi-libusb.pc $(INSTALL)/lib/pkgconfig/ \ 28 | 29 | -------------------------------------------------------------------------------- /modules/libksba: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libksba 2 | 3 | libksba_version := 1.6.4 4 | libksba_dir := libksba-$(libksba_version) 5 | libksba_tar := libksba-$(libksba_version).tar.bz2 6 | libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar) 7 | libksba_hash := bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b 8 | 9 | libksba_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(target) \ 14 | --prefix "/" \ 15 | --disable-static \ 16 | --with-libgpg-error-prefix="$(INSTALL)" \ 17 | 18 | libksba_target := $(MAKE_JOBS) \ 19 | DESTDIR="$(INSTALL)" \ 20 | $(CROSS_TOOLS) \ 21 | install \ 22 | 23 | libksba_libraries := src/.libs/libksba.so.8 24 | 25 | libksba_depends := libgpg-error $(musl_dep) 26 | -------------------------------------------------------------------------------- /modules/libpng: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += libpng 2 | 3 | libpng_version := 1.6.34 4 | libpng_dir := libpng-$(libpng_version) 5 | libpng_tar := libpng-$(libpng_version).tar.gz 6 | libpng_url := https://github.com/glennrp/libpng-releases/raw/master/$(libpng_tar) 7 | libpng_hash := 574623a4901a9969080ab4a2df9437026c8a87150dfd5c235e28c94b212964a7 8 | 9 | libpng_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(host) \ 14 | --prefix="/" \ 15 | 16 | libpng_target := \ 17 | $(MAKE_JOBS) \ 18 | $(CROSS_TOOLS) \ 19 | DESTDIR="$(INSTALL)" \ 20 | install \ 21 | 22 | libpng_libraries := .libs/libpng16.so.16 23 | 24 | libpng_depends := zlib $(musl_dep) 25 | -------------------------------------------------------------------------------- /modules/libusb: -------------------------------------------------------------------------------- 1 | # GPG with Yubikey support requires libusb 2 | modules-$(CONFIG_GPG) += libusb 3 | modules-$(CONFIG_GPG2) += libusb 4 | 5 | libusb_version := 1.0.21 6 | libusb_dir := libusb-$(libusb_version) 7 | libusb_tar := libusb-$(libusb_version).tar.bz2 8 | libusb_url := https://downloads.sourceforge.net/project/libusb/libusb-1.0/libusb-$(libusb_version)/$(libusb_tar) 9 | libusb_url := https://github.com/libusb/libusb/releases/download/v$(libusb_version)/$(libusb_tar) 10 | libusb_hash := 7dce9cce9a81194b7065ee912bcd55eeffebab694ea403ffb91b67db66b1824b 11 | 12 | libusb_configure := \ 13 | CFLAGS="-Os" \ 14 | ./configure \ 15 | $(CROSS_TOOLS) \ 16 | --host $(target) \ 17 | --prefix "/" \ 18 | --disable-udev \ 19 | --disable-tests\ 20 | 21 | # Run one build to generate the executables with the pre-defined 22 | # exec_prefix and datarootdir, then a second make to install the binaries 23 | # into our actual target location 24 | 25 | libusb_target := $(MAKE_JOBS) \ 26 | DESTDIR="$(INSTALL)" \ 27 | $(CROSS_TOOLS) \ 28 | install \ 29 | 30 | libusb_libraries := libusb/.libs/libusb-1.0.so.0 31 | 32 | libusb_depends := $(musl_dep) 33 | -------------------------------------------------------------------------------- /modules/libusb-compat: -------------------------------------------------------------------------------- 1 | # GPG 1.4.21 uses an old version of libusb, which 2 | # is emulated with the compatibility library. 3 | # This is a bit of a hack to set it up. 4 | 5 | modules-$(CONFIG_GPG) += libusb-compat 6 | modules-$(CONFIG_GPG2) += libusb-compat 7 | 8 | libusb-compat_version := 0.1.5 9 | libusb-compat_dir := libusb-compat-$(libusb-compat_version) 10 | libusb-compat_tar := libusb-compat-$(libusb-compat_version).tar.bz2 11 | libusb-compat_url := https://downloads.sourceforge.net/project/libusb/libusb-compat-0.1/libusb-compat-$(libusb-compat_version)/$(libusb-compat_tar) 12 | libusb-compat_hash := 404ef4b6b324be79ac1bfb3d839eac860fbc929e6acb1ef88793a6ea328bc55a 13 | 14 | libusb-compat_configure := \ 15 | CFLAGS="-Os" \ 16 | ./configure \ 17 | $(CROSS_TOOLS) \ 18 | --host $(host) \ 19 | --target $(target) \ 20 | --prefix "/" \ 21 | PKG_CONFIG=/bin/false \ 22 | LIBUSB_1_0_CFLAGS="-I$(INSTALL)/include/libusb-1.0" \ 23 | LIBUSB_1_0_LIBS="$(INSTALL)/libusb-1.0.so" \ 24 | 25 | # Run one build to generate the executables with the pre-defined 26 | # exec_prefix and datarootdir, then a second make to install the binaries 27 | # into our actual target location 28 | libusb-compat_target := $(MAKE_JOBS) \ 29 | DESTDIR="$(INSTALL)" \ 30 | $(CROSS_TOOLS) \ 31 | install \ 32 | 33 | libusb-compat_libraries := libusb/.libs/libusb-0.1.so.4 34 | 35 | libusb-compat_depends := libusb $(musl_dep) 36 | -------------------------------------------------------------------------------- /modules/make: -------------------------------------------------------------------------------- 1 | # This is not added to the module list since it is a special case 2 | # of things that need to be built for the host system, instead of the 3 | # target platform. 4 | #modules += make 5 | 6 | make_version := 4.2.1 7 | make_dir := make-$(make_version) 8 | make_tar := make-$(make_version).tar.bz2 9 | 10 | make_url := http://gnu.mirror.constant.com/make/$(make_tar) 11 | make_hash := d6e262bf3601b42d2b1e4ef8310029e1dcf20083c5446b4b7aa67081fdffc589 12 | 13 | # This is built for the local machine, not the target, so it doesn't have any 14 | # of the build instructions. 15 | -------------------------------------------------------------------------------- /modules/mbedtls: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_TPMTOTP) += mbedtls 2 | 3 | mbedtls_version := 2.4.2 4 | mbedtls_dir := mbedtls-$(mbedtls_version) 5 | mbedtls_tar := mbedtls-$(mbedtls_version).tar.gz 6 | mbedtls_url := https://github.com/ARMmbed/mbedtls/archive/$(mbedtls_tar) 7 | mbedtls_hash := b7afab6a0f86e29c6055848b70d183c4e2531cb0ec955b66c0e4e1b7e4954bf4 8 | 9 | mbedtls_libraries := library/libmbedcrypto.so.0 10 | 11 | mbedtls_configure := 12 | 13 | mbedtls_target := \ 14 | SHARED=1 \ 15 | CFLAGS="-Os" \ 16 | DESTDIR=$(INSTALL) \ 17 | $(CROSS_TOOLS) \ 18 | $(MAKE_JOBS) \ 19 | install 20 | 21 | mbedtls_depends := $(musl_dep) 22 | -------------------------------------------------------------------------------- /modules/msrtools: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_MSRTOOLS) += msrtools 2 | 3 | msrtools_depends := $(musl_dep) 4 | 5 | #msrtools_version := git 6 | #msrtools_repo := https://github.com/osresearch/msr-tools 7 | 8 | msrtools_version := 572ef8a2b873eda15a322daa48861140a078b92c 9 | msrtools_dir := msrtools-$(msrtools_version) 10 | msrtools_tar := msr-tools-$(msrtools_version).tar.gz 11 | #msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz 12 | msrtools_url := https://github.com/osresearch/msr-tools/archive/$(msrtools_version).tar.gz 13 | msrtools_hash := 80554790d0a404205fe215c9ae8d2de159e980ec23821d636f201f12550e6ac0 14 | 15 | msrtools_target := \ 16 | $(CROSS_TOOLS) \ 17 | CFLAGS="-I$(INSTALL)/include" \ 18 | LDFLAGS="-L$(INSTALL)/lib" \ 19 | 20 | msrtools_output := \ 21 | wrmsr \ 22 | rdmsr \ 23 | cpuid \ 24 | 25 | msrtools_libraries := \ 26 | 27 | msrtools_configure := 28 | -------------------------------------------------------------------------------- /modules/newt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NEWT) += newt 2 | 3 | newt_depends := popt slang $(musl_dep) 4 | 5 | newt_version := 0.52.20 6 | newt_dir := newt-$(newt_version) 7 | newt_tar := newt-$(newt_version).tar.gz 8 | newt_url := https://releases.pagure.org/newt/$(newt_tar) 9 | newt_hash := 8d66ba6beffc3f786d4ccfee9d2b43d93484680ef8db9397a4fb70b5adbb6dbc 10 | 11 | newt_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | 15 | newt_output := \ 16 | whiptail \ 17 | 18 | newt_libraries := \ 19 | libnewt.so.0.52 \ 20 | 21 | newt_configure := \ 22 | ./autogen.sh && CFLAGS="-Os" ./configure \ 23 | $(CROSS_TOOLS) \ 24 | --prefix "/" \ 25 | --host $(host) \ 26 | --without-tcl 27 | -------------------------------------------------------------------------------- /modules/nkstorecli: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NKSTORECLI) += nkstorecli 2 | 3 | nkstorecli_depends := libnitrokey libusb $(musl_dep) 4 | 5 | nkstorecli_version := 0.4.1 6 | nkstorecli_dir := nkstorecli-$(nkstorecli_version) 7 | nkstorecli_tar := nkstorecli-$(nkstorecli_version).tar.gz 8 | nkstorecli_url := https://github.com/Nitrokey/nitrokey-storage-cli/releases/download/v$(nkstorecli_version)/nkstorecli-$(nkstorecli_version).tar.gz 9 | nkstorecli_hash := 0fa7dbbede453b9c40d920c0563afdd2b0f7d08625aeb68f065512613b6fbb6b 10 | 11 | nkstorecli_target := $(MAKE_JOBS) -C src $(CROSS_TOOLS) DESTDIR=$(INSTALL) install 12 | 13 | nkstorecli_output := \ 14 | src/nkstorecli 15 | 16 | -------------------------------------------------------------------------------- /modules/npth: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += npth 2 | npth_version := 1.6 3 | npth_dir := npth-$(npth_version) 4 | npth_tar := npth-$(npth_version).tar.bz2 5 | npth_url := https://gnupg.org/ftp/gcrypt/npth/$(npth_tar) 6 | npth_hash := 1393abd9adcf0762d34798dc34fdcf4d0d22a8410721e76f1e3afcd1daa4e2d1 7 | 8 | npth_configure := ./configure \ 9 | $(CROSS_TOOLS) \ 10 | --host $(host) \ 11 | --target $(target) \ 12 | --prefix "/" \ 13 | --disable-static \ 14 | 15 | npth_target := $(MAKE_JOBS) \ 16 | DESTDIR="$(INSTALL)" \ 17 | $(CROSS_TOOLS) \ 18 | install \ 19 | 20 | npth_libraries := src/.libs/libnpth.so.0 21 | 22 | npth_depends := libgpg-error $(musl_dep) 23 | -------------------------------------------------------------------------------- /modules/openssl: -------------------------------------------------------------------------------- 1 | # OpenSSL library 2 | modules-$(CONFIG_OPENSSL) += openssl 3 | 4 | openssl_version := 3.0.8 5 | openssl_dir := openssl-$(openssl_version) 6 | openssl_tar := openssl-$(openssl_version).tar.gz 7 | openssl_url := https://www.openssl.org/source/$(openssl_tar) 8 | openssl_hash := 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e 9 | 10 | # The only optional algorithm that's enabled is SM3. tpm2-tss uses SHA, AES, 11 | # and SM3. 12 | openssl_configure := \ 13 | $(CROSS_TOOLS) \ 14 | CFLAGS="-Os" \ 15 | ./Configure \ 16 | --prefix="/" \ 17 | no-tests \ 18 | linux-$(strip $(arch)) \ 19 | no-aria \ 20 | no-bf \ 21 | no-blake2 \ 22 | no-camellia \ 23 | no-cast \ 24 | no-chacha \ 25 | no-cmac \ 26 | no-des \ 27 | no-dh \ 28 | no-dsa \ 29 | no-ecdh \ 30 | no-ecdsa \ 31 | no-idea \ 32 | no-md4 \ 33 | no-mdc2 \ 34 | no-ocb \ 35 | no-poly1305 \ 36 | no-rc2 \ 37 | no-rc4 \ 38 | no-rmd160 \ 39 | no-scrypt \ 40 | no-seed \ 41 | no-siphash \ 42 | no-siv \ 43 | no-sm2 \ 44 | no-sm4 \ 45 | no-whirlpool \ 46 | 47 | openssl_target := $(MAKE_JOBS) \ 48 | build_programs \ 49 | && \ 50 | $(MAKE) \ 51 | -C "$(build)/$(openssl_dir)" \ 52 | DESTDIR="$(INSTALL)" \ 53 | LIBDIR="lib" \ 54 | install_sw \ 55 | 56 | openssl_libraries := \ 57 | libcrypto.so.3 \ 58 | libssl.so.3 \ 59 | 60 | openssl_output := \ 61 | apps/openssl \ 62 | 63 | openssl_depends := $(musl_dep) 64 | -------------------------------------------------------------------------------- /modules/pciutils: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_PCIUTILS) += pciutils 2 | 3 | pciutils_depends := $(musl_dep) 4 | 5 | #pciutils_version := git 6 | #pciutils_repo := https://github.com/osresearch/pciutils 7 | 8 | pciutils_version := 3.5.4 9 | pciutils_dir := pciutils-$(pciutils_version) 10 | pciutils_tar := pciutils-$(pciutils_version).tar.xz 11 | pciutils_url := https://www.kernel.org/pub/software/utils/pciutils/$(pciutils_tar) 12 | pciutils_hash := 64293c6ab9318c40ef262b76d87bd9097531759752bac556e50979b1e63cfe66 13 | 14 | # IDSDIR must be set to a constant during the build, 15 | # but not during the install to make the libpci.so.3 16 | # reproducible. Otherwise the build path will be embedded 17 | # in the library and executables. 18 | 19 | pciutils_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | ZLIB=no \ 23 | HWDB=no \ 24 | LIBKMOD=no \ 25 | SHARED=yes \ 26 | IDSDIR="/" \ 27 | PREFIX="/" \ 28 | && \ 29 | $(MAKE) \ 30 | -C $(build)/$(pciutils_dir) \ 31 | $(CROSS_TOOLS) \ 32 | ZLIB=no \ 33 | HWDB=no \ 34 | LIBKMOD=no \ 35 | SHARED=yes \ 36 | PREFIX="/" \ 37 | DESTDIR="$(INSTALL)" \ 38 | install \ 39 | install-lib \ 40 | 41 | pciutils_output := \ 42 | lspci \ 43 | 44 | pciutils_libraries := \ 45 | lib/libpci.so.3.5.4 \ 46 | ../../install/lib/libpci.so.3\ 47 | 48 | pciutils_configure := 49 | -------------------------------------------------------------------------------- /modules/pinentry: -------------------------------------------------------------------------------- 1 | # pinentry is required for gpg2 to be able to read user passwords 2 | CONFIG_PINENTRY ?= $(CONFIG_GPG2) 3 | modules-$(CONFIG_PINENTRY) += pinentry 4 | 5 | pinentry_version := 1.1.0 6 | pinentry_dir := pinentry-$(pinentry_version) 7 | pinentry_tar := pinentry-$(pinentry_version).tar.bz2 8 | pinentry_url := https://www.gnupg.org/ftp/gcrypt/pinentry/$(pinentry_tar) 9 | pinentry_hash := 68076686fa724a290ea49cdf0d1c0c1500907d1b759a3bcbfbec0293e8f56570 10 | 11 | # For reproducibility reasons we have to override the exec_prefix 12 | # and datarootdir on the configure line so that the Makefiles will 13 | # be generated with the correct paths, but then re-write them when 14 | # we use the install target so that they will be copied to the correct 15 | # location. 16 | pinentry_configure := \ 17 | $(CROSS_TOOLS) \ 18 | CFLAGS="-Os" \ 19 | ./configure \ 20 | --prefix "/" \ 21 | --host $(host) \ 22 | --target $(target) \ 23 | --enable-pinentry-tty \ 24 | --with-libassuan-prefix="$(INSTALL)" \ 25 | --with-libgpg-error-prefix="$(INSTALL)" \ 26 | 27 | # Run one build to generate the executables with the pre-defined 28 | # exec_prefix and datarootdir, then a second make to install the binaries 29 | # into our actual target location 30 | pinentry_target := $(MAKE_JOBS) \ 31 | && $(MAKE) -C $(build)/$(pinentry_dir) \ 32 | DESTDIR="$(INSTALL)" \ 33 | install \ 34 | && cp $(build)/$(pinentry_dir)/tty/pinentry-tty $(build)/$(pinentry_dir)/tty/pinentry 35 | 36 | pinentry_output := tty/pinentry-tty 37 | 38 | pinentry_depends := libgpg-error libassuan $(musl_dep) 39 | -------------------------------------------------------------------------------- /modules/pixman: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += pixman 2 | 3 | pixman_version := 0.34.0 4 | pixman_dir := pixman-$(pixman_version) 5 | pixman_tar := pixman-$(pixman_version).tar.gz 6 | pixman_url := https://www.cairographics.org/releases/$(pixman_tar) 7 | pixman_hash := 21b6b249b51c6800dc9553b65106e1e37d0e25df942c90531d4c3997aa20a88e 8 | 9 | pixman_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(host) \ 14 | --prefix="/" \ 15 | --disable-gtk 16 | 17 | pixman_target := \ 18 | $(MAKE_JOBS) \ 19 | $(CROSS_TOOLS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | install \ 22 | 23 | pixman_libraries := pixman/.libs/libpixman-1.so.0 24 | 25 | pixman_depends := libpng $(musl_dep) 26 | -------------------------------------------------------------------------------- /modules/popt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_POPT) += popt 2 | 3 | popt_version := 1.19 4 | popt_dir := popt-$(popt_version) 5 | popt_tar := popt-$(popt_version).tar.gz 6 | popt_url := https://fossies.org/linux/misc/$(popt_tar) 7 | popt_hash := c25a4838fc8e4c1c8aacb8bd620edb3084a3d63bf8987fdad3ca2758c63240f9 8 | 9 | popt_configure := ./configure \ 10 | $(CROSS_TOOLS) \ 11 | --prefix "/" \ 12 | --host i386-elf-linux \ 13 | 14 | 15 | popt_target := \ 16 | $(MAKE_JOBS) \ 17 | $(CROSS_TOOLS) \ 18 | && $(MAKE) \ 19 | -C "$(build)/$(popt_dir)" \ 20 | $(CROSS_TOOLS) \ 21 | DESTDIR="$(INSTALL)" \ 22 | install 23 | 24 | popt_libraries := src/.libs/libpopt.so.0 25 | 26 | popt_depends := $(musl_dep) 27 | -------------------------------------------------------------------------------- /modules/powerpc-utils: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils 2 | 3 | powerpc-utils_version := 1.3.5 4 | powerpc-utils_dir := powerpc-utils-$(powerpc-utils_version) 5 | powerpc-utils_tar := powerpc-utils-$(powerpc-utils_version).tar.gz 6 | powerpc-utils_url := https://github.com/ibm-power-utilities/powerpc-utils/archive/v$(powerpc-utils_version)/$(powerpc-utils_tar) 7 | powerpc-utils_hash := 77efe3978ac9c251c4728a35b9aebd6076583939a8e26cc7f07ffa86432a8bf0 8 | 9 | powerpc-utils_configure := \ 10 | ./autogen.sh && \ 11 | $(CROSS_TOOLS) \ 12 | CFLAGS="-Os" \ 13 | ./configure \ 14 | --host $(host) \ 15 | --target $(target) \ 16 | --prefix "/" \ 17 | --without-systemd \ 18 | --without-librtas 19 | 20 | powerpc-utils_target := \ 21 | $(MAKE_JOBS) \ 22 | $(CROSS_TOOLS) \ 23 | DESTDIR="$(INSTALL)" \ 24 | install 25 | 26 | powerpc-utils_output := src/nvram 27 | 28 | powerpc-utils_depends := $(musl_dep) 29 | -------------------------------------------------------------------------------- /modules/purism-blobs: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_PURISM_BLOBS) += purism-blobs 2 | 3 | purism-blobs_base_dir := coreboot-$(CONFIG_COREBOOT_VERSION)/3rdparty/purism-blobs 4 | purism-blobs_version := 33454f738d60e82480ac2956fc86341eb827ed00 5 | purism-blobs_tar := purism-blobs-${purism-blobs_version}.tar.gz 6 | purism-blobs_tar_opt := --strip 1 7 | purism-blobs_url := https://source.puri.sm/coreboot/purism-blobs/-/archive/${purism-blobs_version}/${purism-blobs_tar} 8 | purism-blobs_hash := a33fd900cbe49d8ada2749c28874b1d57ebbd476c0102b6f7bcce46e976f7453 9 | 10 | ## there is nothing to be built 11 | purism-blobs_output := .built 12 | purism-blobs_configure := echo -e 'all:\n\ttouch .built' > Makefile 13 | -------------------------------------------------------------------------------- /modules/qrencode: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_QRENCODE) += qrencode 2 | 3 | qrencode_version := 3.4.4 4 | qrencode_dir := qrencode-$(qrencode_version) 5 | qrencode_tar := qrencode-$(qrencode_version).tar.gz 6 | qrencode_url := https://fukuchi.org/works/qrencode/$(qrencode_tar) 7 | qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a72 8 | 9 | qrencode_libraries := .libs/libqrencode.so.3 10 | 11 | qrencode_configure := \ 12 | CFLAGS="-Os" \ 13 | ./configure \ 14 | $(CROSS_TOOLS) \ 15 | --prefix "/" \ 16 | --without-tools \ 17 | --host $(host) \ 18 | 19 | qrencode_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | && $(MAKE) \ 23 | -C "$(build)/$(qrencode_dir)" \ 24 | DESTDIR="$(INSTALL)" \ 25 | install 26 | 27 | qrencode_depends := $(musl_dep) 28 | -------------------------------------------------------------------------------- /modules/slang: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_SLANG) += slang 2 | 3 | slang_version := 2.3.1a 4 | slang_dir := slang-$(slang_version) 5 | slang_tar := slang-$(slang_version).tar.bz2 6 | slang_url := https://www.jedsoft.org/releases/slang/$(slang_tar) 7 | slang_hash := 54f0c3007fde918039c058965dffdfd6c5aec0bad0f4227192cc486021f08c36 8 | 9 | slang_configure := ./configure \ 10 | $(CROSS_TOOLS) \ 11 | ac_cv_path_nc5config=no \ 12 | --prefix "/" \ 13 | --host $(host) \ 14 | --target $(target) \ 15 | --with-z=no \ 16 | --with-png=no \ 17 | --with-pcre=no \ 18 | --with-onig=no \ 19 | && mkdir -p src/elfobjs 20 | 21 | # Disable parallel make for the install target 22 | slang_target := \ 23 | $(MAKE_JOBS) \ 24 | $(CROSS_TOOLS) \ 25 | && $(MAKE) \ 26 | -j1 \ 27 | -C "$(build)/$(slang_dir)" \ 28 | $(CROSS_TOOLS) \ 29 | DESTDIR="$(INSTALL)" \ 30 | install 31 | 32 | slang_libraries := src/elfobjs/libslang.so.2 33 | 34 | slang_depends := $(musl_dep) 35 | -------------------------------------------------------------------------------- /modules/tpm2-tools: -------------------------------------------------------------------------------- 1 | # TPM2 tools program 2 | modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools 3 | 4 | tpm2-tools_version := 5.6 5 | 6 | tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version) 7 | tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz 8 | tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar) 9 | tpm2-tools_hash := 52c8bcbaadca082abfe5eb7ee4967d2d632d84b1677675f2f071b6d2ec22cec3 10 | 11 | #tpm2-tools 5.6 adds release version based on git, while tarball downloaded doesn't include any .git 12 | # the patch comments out git output to ./VERSION, and we fill it here based on this Makefile's version 13 | #tpm2-tools doesn't play nice with reproducible builds, hardcoding lib paths without providing a configure option to remove rpaths 14 | # We make sure no hardcoding of libdir flags exist in configure script prior of calling the script with sed call 15 | # We pass additional remapping of prefix-map from $INSTALL to local dir 16 | # 17 | # TODO: remove all patches and uniformize with similar sed calls. 18 | tpm2-tools_configure := \ 19 | echo "$(tpm2-tools_version)" > ./VERSION \ 20 | && ./bootstrap \ 21 | && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ 22 | && ./configure \ 23 | $(CROSS_TOOLS) \ 24 | --host $(host) \ 25 | --target $(target) \ 26 | --prefix "/" \ 27 | --disable-fapi \ 28 | CFLAGS="-fdebug-prefix-map=$(INSTALL)=." \ 29 | 30 | tpm2-tools_target := $(MAKE_JOBS) \ 31 | DESTDIR="$(INSTALL)" \ 32 | $(CROSS_TOOLS) \ 33 | install \ 34 | 35 | tpm2-tools_output := tools/tpm2 36 | 37 | tpm2-tools_depends := tpm2-tss $(musl_dep) 38 | -------------------------------------------------------------------------------- /modules/tpmtotp: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_TPMTOTP) += tpmtotp 2 | modules-$(CONFIG_TPMTOTP) += qrencode 3 | 4 | tpmtotp_depends := mbedtls qrencode $(musl_dep) 5 | 6 | tpmtotp_version := 4d63d21c8b7db2e92ddb393057f168aead147f47 7 | tpmtotp_dir := tpmtotp-$(tpmtotp_version) 8 | tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz 9 | tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz 10 | tpmtotp_hash := eaac1e8f652f1da7f5a1ed6a8cfefb6511f1e5e1dabf93b44db3b29c18c5ae53 11 | 12 | tpmtotp_target := \ 13 | $(CROSS_TOOLS) \ 14 | $(MAKE_JOBS) \ 15 | CFLAGS="-I$(INSTALL)/include -Os" \ 16 | LDFLAGS="-L$(INSTALL)/lib" \ 17 | 18 | tpmtotp_output := \ 19 | totp \ 20 | hotp \ 21 | qrenc \ 22 | util/tpm \ 23 | 24 | tpmtotp_libraries := \ 25 | libtpm/libtpm.so \ 26 | 27 | tpmtotp_configure := 28 | -------------------------------------------------------------------------------- /modules/u-root: -------------------------------------------------------------------------------- 1 | # 2 | # u-root go runtime 3 | # 4 | # This is not a normal Heads module, since it builds all of its 5 | # own dependencies. 6 | # 7 | u-root_url := github.com/u-root/u-root 8 | u-root_output := $(build)/$(BOARD)/u-root.cpio 9 | UROOT_CMDS ?= 10 | 11 | export GOPATH=$(build)/go 12 | u-root_src_cmds := $(foreach cmd,$(UROOT_CMDS),github.com/u-root/u-root/cmds/$(cmd)) 13 | 14 | u-root_build := $(GOPATH)/bin/u-root 15 | 16 | $(GOPATH)/bin/u-root: 17 | go get github.com/u-root/u-root/... 18 | # 19 | # If the board directory has its own go commands, copy them 20 | # into the u-root tree so that they will be bundled into the go initrd 21 | # TODO: generalize this to support more commands 22 | # TODO: fix this sort that it doesn't leave commands lying around 23 | # 24 | ifeq "y" "$(shell [ -r 'boards/$(BOARD)/uinit.go' ] && echo y)" 25 | u-root_uinit := $(GOPATH)/src/github.com/u-root/u-root/cmds/uinit/uinit.go 26 | $(u-root_uinit): $(u-root_build) boards/$(BOARD)/uinit.go 27 | $(call install,boards/$(BOARD)/uinit.go,$@) 28 | endif 29 | 30 | $(u-root_output): $(u-root_build) $(u-root_uinit) 31 | $(call do,U-ROOT,$@,\ 32 | $(GOPATH)/bin/u-root \ 33 | -build=bb \ 34 | -format=cpio \ 35 | -o $@ \ 36 | $(u-root_src_cmds)\ 37 | ) 38 | 39 | # Override the initrd inputs and add in the kernel modules 40 | initrd-$(CONFIG_UROOT) += $(u-root_output) 41 | 42 | 43 | ifeq "$(CONFIG_UROOT)" "y" 44 | # If we are building for u-root, disable the default CONFIG_HEADS 45 | # so that the heads/initrd/etc directories will not be included 46 | CONFIG_HEADS=n 47 | 48 | # Since we do not include u-root in modules-y, we have to define our 49 | # own intermediate and clean targets here 50 | $(build)/$(u-root_dir)/.build: $(u-root_output) 51 | u-root.clean: 52 | $(RM) $(u-root_output) 53 | endif 54 | -------------------------------------------------------------------------------- /modules/util-linux: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_UTIL_LINUX) += util-linux 2 | 3 | util-linux_version := 2.39 4 | util-linux_dir := util-linux-$(util-linux_version) 5 | util-linux_tar := util-linux-$(util-linux_version).tar.xz 6 | util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar) 7 | util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb 8 | 9 | util-linux_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(host) \ 14 | --target $(target) \ 15 | --prefix "/" \ 16 | --oldincludedir "$(INSTALL)/include" \ 17 | --without-ncurses \ 18 | --without-ncursesw \ 19 | --without-tinfo \ 20 | --without-udev \ 21 | --without-python \ 22 | --disable-bash-completion \ 23 | --disable-all-programs \ 24 | --enable-libuuid \ 25 | --enable-libblkid \ 26 | 27 | 28 | util-linux_target := \ 29 | $(MAKE_JOBS) \ 30 | $(CROSS_TOOLS) \ 31 | DESTDIR="$(INSTALL)" \ 32 | install && \ 33 | rm $(INSTALL)/lib/libblkid.la && \ 34 | rm $(INSTALL)/lib/libuuid.la 35 | 36 | util-linux_libraries += \ 37 | .libs/libuuid.so.1 \ 38 | .libs/libblkid.so.1 \ 39 | 40 | util-linux_depends := $(musl_dep) 41 | -------------------------------------------------------------------------------- /modules/vim-xxd: -------------------------------------------------------------------------------- 1 | # xxd of vim 2 | modules-$(CONFIG_VIM_XXD) += vim-xxd 3 | 4 | vim-xxd_version := 9.1.1230 5 | vim-xxd_dir := vim-xxd-$(vim-xxd_version) 6 | vim-xxd_tar := vim-xxd-$(vim-xxd_version).tar.gz 7 | vim-xxd_url := https://github.com/vim/vim/archive/refs/tags/v$(vim-xxd_version).tar.gz 8 | vim-xxd_hash := 14ab9506c3dccdcbeab8483534ab1be26133cb6d511e2e13a97aeb437a856fe0 9 | 10 | # We do not need to build vim 11 | vim-xxd_target := -q || true \ 12 | && $(MAKE) $(CROSS_TOOLS) -C $(build)/$(vim-xxd_dir)/src/xxd \ 13 | 14 | vim-xxd_output := 15 | 16 | ifeq "$(CONFIG_VIM_XXD)" "y" 17 | initrd_bins += $(initrd_tmp_dir)/bin/xxd 18 | endif 19 | 20 | $(build)/$(vim-xxd_dir)/src/xxd/xxd: $(build)/$(vim-xxd_dir)/.build 21 | 22 | # Replace /bin/xxd linked to busybox 23 | $(initrd_tmp_dir)/bin/xxd: $(build)/$(vim-xxd_dir)/src/xxd/xxd \ 24 | $(initrd_tmp_dir)/bin/busybox 25 | install -Dm 755 "$<" "$@" 26 | $(CROSS)strip --preserve-dates "$@" 2>&- 27 | 28 | vim-xxd_depends := $(musl_dep) busybox 29 | -------------------------------------------------------------------------------- /modules/zlib: -------------------------------------------------------------------------------- 1 | CONFIG_ZLIB ?= y 2 | modules-$(CONFIG_ZLIB) += zlib 3 | 4 | zlib_version := 1.2.11 5 | zlib_dir := zlib-$(zlib_version) 6 | zlib_tar := zlib-$(zlib_version).tar.gz 7 | zlib_url := https://zlib.net/fossils/$(zlib_tar) 8 | zlib_hash := c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1 9 | 10 | zlib_configure := \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --prefix="/" \ 14 | 15 | zlib_target := \ 16 | $(MAKE_JOBS) \ 17 | $(CROSS_TOOLS) \ 18 | DESTDIR="$(INSTALL)" \ 19 | install \ 20 | 21 | zlib_libraries := libz.so.1 22 | 23 | zlib_depends := $(musl_dep) 24 | -------------------------------------------------------------------------------- /packages/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /patches/attest-tools.patch: -------------------------------------------------------------------------------- 1 | diff --git a/env.sh b/env.sh 2 | --- a/env.sh 3 | +++ b/env.sh 4 | @@ -1,10 +1,6 @@ 5 | #!/bin/bash 6 | 7 | -if [ "$V_ATTEST_MODE" = "server" ]; then 8 | - RUN_DIR="/run/v-attest-server" 9 | -else 10 | - V_ATTEST_MODE="client" 11 | - RUN_DIR="/run/v-attest" 12 | -fi 13 | +V_ATTEST_MODE="client" 14 | +RUN_DIR="/tmp/secret" 15 | 16 | VAR_DIR="/var/lib/attest-server" 17 | diff --git a/functions.sh b/functions.sh 18 | --- a/functions.sh 19 | +++ b/functions.sh 20 | @@ -77,13 +77,7 @@ cleanup() { 21 | } 22 | 23 | check_tmpfs() { 24 | - local dir="$1" 25 | - local type=$(findmnt --evaluate -nro fstype "$dir") 26 | - until [ -n "$type" ]; do { 27 | - dir=$(dirname $dir) 28 | - type=$(findmnt --evaluate -nro fstype "$dir") 29 | - } done; 30 | - [ "$type" == "tmpfs" ] || die "$1 is not inside a tmpfs!" 31 | + true 32 | } 33 | 34 | setup() { 35 | -------------------------------------------------------------------------------- /patches/busybox-1.32.0.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive clean/busybox-1.28.0/libbb/messages.c busybox-1.28.0/libbb/messages.c 2 | --- clean/busybox-1.28.0/libbb/messages.c 2017-10-20 04:36:58.000000000 -0400 3 | +++ busybox-1.28.0/libbb/messages.c 2018-02-09 12:02:45.918726483 -0500 4 | @@ -13,7 +13,7 @@ 5 | 6 | /* allow version to be extended, via CFLAGS */ 7 | #ifndef BB_EXTRA_VERSION 8 | -#define BB_EXTRA_VERSION " ("AUTOCONF_TIMESTAMP")" 9 | +#define BB_EXTRA_VERSION " (heads)" 10 | #endif 11 | 12 | const char bb_banner[] ALIGN1 = "BusyBox v" BB_VER BB_EXTRA_VERSION; 13 | -------------------------------------------------------------------------------- /patches/busybox-1.33.2.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive clean/busybox-1.33.2/libbb/messages.c busybox-1.33.2/libbb/messages.c 2 | --- clean/busybox-1.33.2/libbb/messages.c 2017-10-20 04:36:58.000000000 -0400 3 | +++ busybox-1.33.2/libbb/messages.c 2018-02-09 12:02:45.918726483 -0500 4 | @@ -13,7 +13,7 @@ 5 | 6 | /* allow version to be extended, via CFLAGS */ 7 | #ifndef BB_EXTRA_VERSION 8 | -#define BB_EXTRA_VERSION " ("AUTOCONF_TIMESTAMP")" 9 | +#define BB_EXTRA_VERSION " (heads)" 10 | #endif 11 | 12 | const char bb_banner[] ALIGN1 = "BusyBox v" BB_VER BB_EXTRA_VERSION; 13 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch: -------------------------------------------------------------------------------- 1 | From 06f2fcc0ffc1a903f304d8a3382f3a57163989a1 Mon Sep 17 00:00:00 2001 2 | From: Jacob Garber 3 | Date: Mon, 4 Nov 2019 09:35:15 -0700 4 | Subject: [PATCH] cpu/x86/smm: Use PRIxPTR to print uintptr_t 5 | 6 | Since 'base' is a uintptr_t, it needs the PRIxPTR format specifier. This 7 | fixes a compilation error when targeting x86_64 or using Clang 9.0.0. 8 | 9 | Change-Id: Ib806e2b3cbb255ef208b361744ac4547b8ba262f 10 | Signed-off-by: Jacob Garber 11 | Reviewed-on: https://review.coreboot.org/c/coreboot/+/36785 12 | Tested-by: build bot (Jenkins) 13 | Reviewed-by: HAOUAS Elyes 14 | --- 15 | src/cpu/x86/smm/tseg_region.c | 5 +++-- 16 | 1 file changed, 3 insertions(+), 2 deletions(-) 17 | 18 | diff --git a/src/cpu/x86/smm/tseg_region.c b/src/cpu/x86/smm/tseg_region.c 19 | index a8b8bb7b9a..5b5c5729d5 100644 20 | --- a/src/cpu/x86/smm/tseg_region.c 21 | +++ b/src/cpu/x86/smm/tseg_region.c 22 | @@ -17,6 +17,7 @@ 23 | #include 24 | #include 25 | #include 26 | +#include 27 | 28 | /* 29 | * Subregions within SMM 30 | @@ -88,11 +89,11 @@ void smm_list_regions(void) 31 | return; 32 | 33 | printk(BIOS_DEBUG, "SMM Memory Map\n"); 34 | - printk(BIOS_DEBUG, "SMRAM : 0x%zx 0x%zx\n", base, size); 35 | + printk(BIOS_DEBUG, "SMRAM : 0x%" PRIxPTR " 0x%zx\n", base, size); 36 | 37 | for (i = 0; i < SMM_SUBREGION_NUM; i++) { 38 | if (smm_subregion(i, &base, &size)) 39 | continue; 40 | - printk(BIOS_DEBUG, " Subregion %d: 0x%zx 0x%zx\n", i, base, size); 41 | + printk(BIOS_DEBUG, " Subregion %d: 0x%" PRIxPTR " 0x%zx\n", i, base, size); 42 | } 43 | } 44 | -- 45 | 2.21.1 46 | 47 | 48 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0002-soc-intel-broadwell_de-Add-measured-boot-support.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 2 | index 8438b1035c..ff7a29271f 100644 3 | --- a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 4 | +++ b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 5 | @@ -28,6 +28,8 @@ 6 | #include 7 | #include 8 | #include 9 | +#include 10 | +#include 11 | #include 12 | #include 13 | #include 14 | @@ -156,6 +158,20 @@ void *asmlinkage main(FSP_INFO_HEADER *fsp_info_header) 15 | early_iio_hide(); 16 | timestamp_add_now(TS_BEFORE_INITRAM); 17 | post_code(0x48); 18 | + 19 | + if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM)) { 20 | + // we don't know if we are coming out of a resume 21 | + // at this point, but want to setup the tpm ASAP 22 | + tpm_setup(0); 23 | + tlcl_lib_init(); 24 | + const void *const bootblock = (const void *) 0xFFFFF800; 25 | + const unsigned int bootblock_size = 0x800; 26 | + tlcl_measure(2, bootblock, bootblock_size); 27 | + 28 | + extern char _romstage, _eromstage; 29 | + tlcl_measure(2, &_romstage, &_eromstage - &_romstage); 30 | + } 31 | + 32 | /* 33 | * Call early init to initialize memory and chipset. This function returns 34 | * to the romstage_main_continue function with a pointer to the HOB 35 | @@ -214,3 +230,9 @@ uint64_t get_initial_timestamp(void) 36 | { 37 | return 0; 38 | } 39 | + 40 | +void platform_segment_loaded(uintptr_t start, size_t size, int flags) 41 | +{ 42 | + if (CONFIG(MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) 43 | + tlcl_measure(2, (const void *) start, size); 44 | +} 45 | -- 46 | 2.20.1 47 | 48 | -------------------------------------------------------------------------------- /patches/coreboot-4.13/0001-soc-cannonlake-me.c-Always-print-ME-status.patch: -------------------------------------------------------------------------------- 1 | From ce401513ac08b0c5b121e0f9c4bb38ee6e99a47d Mon Sep 17 00:00:00 2001 2 | From: Matt DeVillier 3 | Date: Fri, 19 Jun 2020 17:02:22 -0500 4 | Subject: [PATCH] soc/cannonlake/me.c: Always print ME status 5 | 6 | Print the ME status even if the CSE device is disabled, so 7 | we know which disabled state it's in. 8 | 9 | Change-Id: I939333199aa699039fec727beb094e4eb2ad7149 10 | Signed-off-by: Matt DeVillier 11 | --- 12 | src/soc/intel/cannonlake/me.c | 3 --- 13 | 1 file changed, 3 deletions(-) 14 | 15 | diff --git a/src/soc/intel/cannonlake/me.c b/src/soc/intel/cannonlake/me.c 16 | index 7bbe1ae730..4fe5a96ade 100644 17 | --- a/src/soc/intel/cannonlake/me.c 18 | +++ b/src/soc/intel/cannonlake/me.c 19 | @@ -103,9 +103,6 @@ void dump_me_status(void *unused) 20 | union me_hfsts5 hfsts5; 21 | union me_hfsts6 hfsts6; 22 | 23 | - if (!is_cse_enabled()) 24 | - return; 25 | - 26 | hfsts1.data = me_read_config32(PCI_ME_HFSTS1); 27 | hfsts2.data = me_read_config32(PCI_ME_HFSTS2); 28 | hfsts3.data = me_read_config32(PCI_ME_HFSTS3); 29 | -- 30 | 2.20.1 31 | 32 | -------------------------------------------------------------------------------- /patches/coreboot-4.8.1/0059-util-Add-description.md-to-each-util.patch: -------------------------------------------------------------------------------- 1 | From 8ba9e8cf63f92902cdb71eb5c4d3b3ea579380f4 Mon Sep 17 00:00:00 2001 2 | From: Tom Hiller 3 | Date: Sat, 21 Jul 2018 00:14:00 -0400 4 | Subject: [PATCH 59/59] util: Add description.md to each util 5 | 6 | Descriptions are taken from the files themselves or READMEs. Description 7 | followed by a space with the language in marked up as code. 8 | 9 | Change-Id: I5f91e85d1034736289aedf27de00df00db3ff19c 10 | Signed-off-by: Tom Hiller 11 | Reviewed-on: https://review.coreboot.org/27563 12 | Tested-by: build bot (Jenkins) 13 | Reviewed-by: Philipp Deppenwiese 14 | Reviewed-by: Paul Menzel 15 | --- 16 | util/crossgcc/description.md | 1 + 17 | 1 file changed, 1 insertion(+) 18 | create mode 100644 util/crossgcc/description.md 19 | 20 | diff --git a/util/crossgcc/description.md b/util/crossgcc/description.md 21 | new file mode 100644 22 | index 0000000000..fa37c2b6ab 23 | --- /dev/null 24 | +++ b/util/crossgcc/description.md 25 | @@ -0,0 +1 @@ 26 | +A cross toolchain builder for -elf toolchains (ie. no libc support) 27 | -- 28 | 2.17.1 29 | 30 | -------------------------------------------------------------------------------- /patches/coreboot-4.8.1/0060-enable-tpm-on-t430.patch: -------------------------------------------------------------------------------- 1 | mb/lenovo/t430/devicetree: Add missing TPM entry 2 | Tested on Lenovo T430: 3 | The TPM is advertised through ACPI tables and the version can be 4 | read using tpm_version, tcsd and tpm_tis. 5 | Change-Id: I0b0c39e7aa1be4a479325d4b5eff5892a7e2f69f 6 | Signed-off-by: Patrick Rudolph 7 | Reviewed-on: https://review.coreboot.org/26780 8 | Tested-by: build bot (Jenkins) 9 | Reviewed-by: Arthur Heymans 10 | Reviewed-by: Paul Menzel 11 | Original Commit at: https://review.coreboot.org/c/coreboot/+/26780 12 | --- ./src/mainboard/lenovo/t430/devicetree.cb 2020-01-15 17:42:17.441317488 +0000 13 | +++ ./src/mainboard/lenovo/t430/devicetree.cb 2020-01-15 17:37:39.889846000 +0000 14 | @@ -165,6 +165,9 @@ 15 | 16 | register "has_thinker1" = "0" 17 | end 18 | + chip drivers/pc80/tpm 19 | + device pnp 0c31.0 on end 20 | + end 21 | end 22 | device pci 1f.2 on # SATA Controller 1 23 | subsystemid 0x17aa 0x21f3 24 | -------------------------------------------------------------------------------- /patches/cryptsetup-1.7.3.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive ../../clean/cryptsetup-1.7.3/src/Makefile.in ./cryptsetup-1.7.3/src/Makefile.in 2 | --- ../../clean/cryptsetup-1.7.3/src/Makefile.in 2016-10-28 09:45:06.000000000 -0400 3 | +++ cryptsetup-1.7.3/src/Makefile.in 2017-01-27 17:24:13.115962328 -0500 4 | @@ -479,6 +479,8 @@ 5 | cryptsetup_LDADD = \ 6 | $(top_builddir)/lib/libcryptsetup.la \ 7 | @POPT_LIBS@ \ 8 | + @UUID_LIBS@ \ 9 | + @DEVMAPPER_LIBS@ \ 10 | @PWQUALITY_LIBS@ \ 11 | @PASSWDQC_LIBS@ 12 | 13 | @@ -503,6 +505,8 @@ 14 | 15 | @VERITYSETUP_TRUE@veritysetup_LDADD = \ 16 | @VERITYSETUP_TRUE@ $(top_builddir)/lib/libcryptsetup.la \ 17 | +@VERITYSETUP_TRUE@ @UUID_LIBS@ \ 18 | +@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ 19 | @VERITYSETUP_TRUE@ @POPT_LIBS@ 20 | 21 | @VERITYSETUP_TRUE@veritysetup_CFLAGS = $(cryptsetup_CFLAGS) 22 | -------------------------------------------------------------------------------- /patches/dropbear-2016.74.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ../clean/dropbear-2016.74/svr-chansession.c ./dropbear-2016.74/svr-chansession.c 2 | --- ../clean/dropbear-2016.74/svr-chansession.c 2016-07-21 11:17:09.000000000 -0400 3 | +++ dropbear-2016.74/svr-chansession.c 2017-09-19 11:01:34.889121503 -0400 4 | @@ -925,10 +925,10 @@ 5 | if ((setgid(ses.authstate.pw_gid) < 0) || 6 | (initgroups(ses.authstate.pw_name, 7 | ses.authstate.pw_gid) < 0)) { 8 | - dropbear_exit("Error changing user group"); 9 | + //dropbear_exit("Error changing user group"); 10 | } 11 | if (setuid(ses.authstate.pw_uid) < 0) { 12 | - dropbear_exit("Error changing user"); 13 | + //dropbear_exit("Error changing user"); 14 | } 15 | } else { 16 | /* ... but if the daemon is the same uid as the requested uid, we don't 17 | -------------------------------------------------------------------------------- /patches/gpg-1.4.21.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive /home/hudson/build/clean/gnupg-1.4.21/configure gnupg-1.4.21/configure 2 | --- /home/hudson/build/clean/gnupg-1.4.21/configure 2016-08-17 09:20:25.000000000 -0400 3 | +++ gnupg-1.4.21/configure 2018-01-20 16:55:14.502067084 -0500 4 | @@ -572,7 +572,7 @@ 5 | ac_clean_files= 6 | ac_config_libobj_dir=. 7 | LIBOBJS= 8 | -cross_compiling=no 9 | +cross_compiling=yes 10 | subdirs= 11 | MFLAGS= 12 | MAKEFLAGS= 13 | @@ -17100,7 +17100,7 @@ 14 | _libusb_try_libs=`$LIBS $_usb_config --libs` 15 | _libusb_try_cflags=`$LIBS $_usb_config --cflags` 16 | else 17 | - _libusb_try_libs="-lusb" 18 | + _libusb_try_libs="-lusb -lusb-1.0" 19 | _libusb_try_cflags="" 20 | fi 21 | 22 | @@ -17112,6 +17112,7 @@ 23 | 24 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext 25 | /* end confdefs.h. */ 26 | +#include 27 | #include 28 | int 29 | main () 30 | diff -u --recursive /home/hudson/build/clean/gnupg-1.4.21/util/ttyio.c gnupg-1.4.21/util/ttyio.c 31 | --- /home/hudson/build/clean/gnupg-1.4.21/util/ttyio.c 2016-04-22 03:30:18.000000000 -0400 32 | +++ gnupg-1.4.21/util/ttyio.c 2018-01-20 13:44:46.186273642 -0500 33 | @@ -183,7 +183,8 @@ 34 | #elif defined(__EMX__) 35 | ttyfp = stdout; /* Fixme: replace by the real functions: see wklib */ 36 | #else 37 | - ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); 38 | + //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); 39 | + ttyfp = stderr; 40 | if( !ttyfp ) { 41 | ttyfp = stderr; /* Use stderr as fallback for log_error. */ 42 | initialized = 1; /* Make sure log_error won't try to init 43 | -------------------------------------------------------------------------------- /patches/gpg2-2.2.10.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive /home/tlaurion/build/clean/gnupg-2.2.10/configure gnupg-2.2.10/configure 2 | --- /home/tlaurion/build/clean/gnupg-2.2.10/configure 2016-08-17 09:20:25.000000000 -0400 3 | +++ gnupg-2.2.10/configure 2018-01-20 16:55:14.502067084 -0500 4 | @@ -572,7 +572,7 @@ 5 | ac_clean_files= 6 | ac_config_libobj_dir=. 7 | LIBOBJS= 8 | -cross_compiling=no 9 | +cross_compiling=yes 10 | subdirs= 11 | MFLAGS= 12 | MAKEFLAGS= 13 | diff -u --recursive gnupg-2.2.10/common/ttyio.c gnupg-2.2.10/common/ttyio.c.mod 14 | --- gnupg-2.2.10/common/ttyio.c 2017-08-28 06:22:54.000000000 -0400 15 | +++ gnupg-2.2.10/common/ttyio.c.mod 2018-09-18 23:00:07.386250017 -0400 16 | @@ -190,7 +190,9 @@ 17 | #elif defined (HAVE_W32CE_SYSTEM) 18 | ttyfp = stderr; 19 | #else 20 | - ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+"); 21 | + //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); 22 | + ttyfp = stderr; 23 | + 24 | if( !ttyfp ) { 25 | log_error("cannot open '%s': %s\n", tty_get_ttyname (), 26 | strerror(errno) ); 27 | 28 | -------------------------------------------------------------------------------- /patches/gpg2-2.4.2.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive gnupg-2.4.0/configure gnupg-2.4.0/configure 2 | --- gnupg-2.4.0/configure 2016-08-17 09:20:25.000000000 -0400 3 | +++ gnupg-2.4.0/configure 2018-01-20 16:55:14.502067084 -0500 4 | @@ -572,7 +572,7 @@ 5 | ac_clean_files= 6 | ac_config_libobj_dir=. 7 | LIBOBJS= 8 | -cross_compiling=no 9 | +cross_compiling=yes 10 | subdirs= 11 | MFLAGS= 12 | MAKEFLAGS= 13 | --- gnupg-2.4.0/common/ttyio.c.orig 2023-03-24 02:37:40.384435064 +0100 14 | +++ gnupg-2.4.0/common/ttyio.c 2023-03-24 02:38:21.825961221 +0100 15 | @@ -186,7 +186,7 @@ 16 | SetConsoleMode (con.out, DEF_OUTMODE); 17 | 18 | #else /* Unix */ 19 | - ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+"); 20 | + ttyfp = stderr; 21 | if (!ttyfp) 22 | { 23 | log_error ("cannot open '%s': %s\n", tty_get_ttyname (), strerror(errno)); 24 | -------------------------------------------------------------------------------- /patches/libgpg-error-1.47.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h b/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h 2 | new file mode 100644 3 | index 0000000..635e6eb 4 | --- /dev/null 5 | +++ b/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h 6 | @@ -0,0 +1,25 @@ 7 | +## lock-obj-pub.powerpc64le-unknown-linux-musl.h 8 | +## File created by gen-posix-lock-obj - DO NOT EDIT 9 | +## To be included by mkheader into gpg-error.h 10 | + 11 | +typedef struct 12 | +{ 13 | + long _vers; 14 | + union { 15 | + volatile char _priv[40]; 16 | + long _x_align; 17 | + long *_xp_align; 18 | + } u; 19 | +} gpgrt_lock_t; 20 | + 21 | +#define GPGRT_LOCK_INITIALIZER {1,{{0,0,0,0,0,0,0,0, \ 22 | + 0,0,0,0,0,0,0,0, \ 23 | + 0,0,0,0,0,0,0,0, \ 24 | + 0,0,0,0,0,0,0,0, \ 25 | + 0,0,0,0,0,0,0,0}}} 26 | +## 27 | +## Local Variables: 28 | +## mode: c 29 | +## buffer-read-only: t 30 | +## End: 31 | +## 32 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0138-hv-mei.patch: -------------------------------------------------------------------------------- 1 | diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c 2 | index 995ff1b..36a67fa 100644 3 | --- a/drivers/misc/mei/hbm.c 4 | +++ b/drivers/misc/mei/hbm.c 5 | @@ -1250,8 +1250,8 @@ int mei_hbm_dispatch(struct mei_device *dev, struct mei_msg_hdr *hdr) 6 | break; 7 | 8 | default: 9 | - BUG(); 10 | - break; 11 | + WARN(1, "hbm: wrong command %d\n", mei_msg->hbm_cmd); 12 | + return -EPROTO; 13 | 14 | } 15 | return 0; 16 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/shebangs.patch: -------------------------------------------------------------------------------- 1 | diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs 2 | index 8bcb9e26c7bc..90137319c50a 100755 3 | --- a/scripts/check-sysctl-docs 4 | +++ b/scripts/check-sysctl-docs 5 | @@ -1,4 +1,4 @@ 6 | -#!/usr/bin/gawk -f 7 | +#!/usr/bin/env -S gawk -f 8 | # SPDX-License-Identifier: GPL-2.0 9 | 10 | # Script to check sysctl documentation against source files 11 | diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh 12 | index f2be0ff9a738..7a5b546ece16 100755 13 | --- a/scripts/ld-version.sh 14 | +++ b/scripts/ld-version.sh 15 | @@ -1,4 +1,4 @@ 16 | -#!/usr/bin/awk -f 17 | +#!/usr/bin/env -S awk -f 18 | # SPDX-License-Identifier: GPL-2.0 19 | # extract linker version number from stdin and turn into single number 20 | { 21 | diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl 22 | index 2ca4eb3f190d..9515765158fa 100755 23 | --- a/scripts/parse-maintainers.pl 24 | +++ b/scripts/parse-maintainers.pl 25 | @@ -1,4 +1,4 @@ 26 | -#!/usr/bin/perl -w 27 | +#!/usr/bin/env -S perl -w 28 | # SPDX-License-Identifier: GPL-2.0 29 | 30 | use strict; 31 | diff --git a/scripts/ver_linux b/scripts/ver_linux 32 | index 0968a3070eff..345b92f71d2d 100755 33 | --- a/scripts/ver_linux 34 | +++ b/scripts/ver_linux 35 | @@ -1,4 +1,4 @@ 36 | -#!/usr/bin/awk -f 37 | +#!/usr/bin/env -S awk -f 38 | # SPDX-License-Identifier: GPL-2.0 39 | # Before running this script please ensure that your PATH is 40 | # typical as you use for compilation/installation. I use 41 | -------------------------------------------------------------------------------- /patches/linux-5.10.5/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.10.5/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.10.5/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.10.5/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.15.45/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.15.45/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.15.45/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.4.68/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.4.68/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.4.68/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.4.68/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%lx\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/make-4.2.1.patch: -------------------------------------------------------------------------------- 1 | --- clean/make-4.2.1/glob/glob.c 2013-10-20 19:14:38.000000000 +0200 2 | +++ make-4.2.1/glob/glob.c 2021-09-18 17:51:09.814552369 +0200 3 | @@ -208,7 +208,7 @@ 4 | #endif /* __GNU_LIBRARY__ || __DJGPP__ */ 5 | 6 | 7 | -#if !defined __alloca && !defined __GNU_LIBRARY__ 8 | +#if !defined __alloca && defined __GNU_LIBRARY__ 9 | 10 | # ifdef __GNUC__ 11 | # undef alloca 12 | @@ -231,7 +231,7 @@ 13 | 14 | #endif 15 | 16 | -#ifndef __GNU_LIBRARY__ 17 | +#ifdef __GNU_LIBRARY__ 18 | # define __stat stat 19 | # ifdef STAT_MACROS_BROKEN 20 | # undef S_ISDIR 21 | -------------------------------------------------------------------------------- /patches/openssl-3.0.8.patch: -------------------------------------------------------------------------------- 1 | --- ./util/mkbuildinf.pl.orig 2023-02-07 08:43:33.000000000 -0500 2 | +++ ./util/mkbuildinf.pl 2024-03-27 14:36:49.974651246 -0400 3 | @@ -12,7 +12,7 @@ 4 | my ($cflags, $platform) = @ARGV; 5 | $cflags = "compiler: $cflags"; 6 | 7 | -my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC"; 8 | +my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC"; 9 | 10 | print <<"END_OUTPUT"; 11 | /* 12 | @@ -36,21 +36,7 @@ 13 | * literal 14 | */ 15 | static const char compiler_flags[] = { 16 | -END_OUTPUT 17 | - 18 | -my $ctr = 0; 19 | -foreach my $c (split //, $cflags) { 20 | - $c =~ s|([\\'])|\\$1|; 21 | - # Max 16 characters per line 22 | - if (($ctr++ % 16) == 0) { 23 | - if ($ctr != 1) { 24 | - print "\n"; 25 | - } 26 | - print " "; 27 | - } 28 | - print "'$c',"; 29 | -} 30 | -print <<"END_OUTPUT"; 31 | -'\\0' 32 | + 'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i', 33 | + 'l','d','\\0' 34 | }; 35 | END_OUTPUT 36 | -------------------------------------------------------------------------------- /patches/pciutils-3.5.4.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive clean/pciutils-3.5.4/lib/types.h pciutils-3.5.4/lib/types.h 2 | --- clean/pciutils-3.5.4/lib/types.h 2017-02-24 15:22:04.000000000 -0500 3 | +++ pciutils-3.5.4/lib/types.h 2018-03-02 09:31:29.115000000 -0500 4 | @@ -8,6 +8,8 @@ 5 | 6 | #include 7 | 8 | +#define PCI_HAVE_STDINT_H 9 | + 10 | #ifndef PCI_HAVE_Uxx_TYPES 11 | 12 | #ifdef PCI_OS_WINDOWS 13 | -------------------------------------------------------------------------------- /patches/powerpc-utils-1.3.5.patch: -------------------------------------------------------------------------------- 1 | AC_FUNC_MALLOC somehow fails to find malloc(), so drop the check 2 | 3 | Weirdly, it doesn't fail configuration, but instead adds -Dmalloc=rpl_malloc 4 | and fails linking. 5 | 6 | diff --git a/configure.ac.orig b/configure.ac 7 | index a7be3ee95c..74aade323b 100644 8 | --- a/configure.ac 9 | +++ b/configure.ac 10 | @@ -33,7 +33,6 @@ AC_TYPE_UINT8_T 11 | # Checks for library functions. 12 | AC_FUNC_FORK 13 | AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK 14 | -AC_FUNC_MALLOC 15 | AC_FUNC_MKTIME 16 | AC_CHECK_FUNCS([memset strchr strcspn strdup strerror strrchr strstr strtol strtoul strtoull gettimeofday]) 17 | 18 | -------------------------------------------------------------------------------- /patches/tpm2-tools-5.6.patch: -------------------------------------------------------------------------------- 1 | --- ./bootstrap.orig 2023-11-08 02:19:36.000000000 -0500 2 | +++ ./bootstrap 2024-04-03 12:18:46.722995465 -0400 3 | @@ -5,7 +5,7 @@ 4 | 5 | # Generate a VERSION file that is included in the dist tarball to avoid needed git 6 | # when calling autoreconf in a release tarball. 7 | -git describe --tags --always --dirty > VERSION 8 | +#git describe --tags --always --dirty > VERSION 9 | 10 | # generate list of source files for use in Makefile.am 11 | # if you add new source files, you must run ./bootstrap again 12 | diff --git a/Makefile.am b/Makefile.am 13 | index 7132215..32e2193 100644 14 | --- a/Makefile.am 15 | +++ b/Makefile.am 16 | @@ -93,7 +93,7 @@ tss2_tools = \ 17 | 18 | # Bundle all the tools into a single program similar to busybox 19 | bin_PROGRAMS += tools/tpm2 20 | -tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) 21 | +tools_tpm2_LDADD = $(LDADD) 22 | tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" 23 | tools_tpm2_SOURCES = \ 24 | tools/tpm2_tool.c \ 25 | @@ -127,7 +127,6 @@ tpm2_tools = \ 26 | tools/tpm2_encryptdecrypt.c \ 27 | tools/tpm2_evictcontrol.c \ 28 | tools/tpm2_flushcontext.c \ 29 | - tools/tpm2_getekcertificate.c \ 30 | tools/tpm2_getrandom.c \ 31 | tools/tpm2_gettime.c \ 32 | tools/tpm2_hash.c \ 33 | --- ./configure.ac.orig 2023-11-08 02:19:36.000000000 -0500 34 | +++ ./configure.ac 2024-04-02 12:05:00.270985575 -0400 35 | @@ -80,7 +80,6 @@ 36 | AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [ 37 | AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])], 38 | []) 39 | -PKG_CHECK_MODULES([CURL], [libcurl]) 40 | 41 | # pretty print of devicepath if efivar library is present 42 | # auto detect if not specified via the --with-efivar option. 43 | -------------------------------------------------------------------------------- /patches/tpm2-tss-3.2.2.patch: -------------------------------------------------------------------------------- 1 | --- a/configure.ac 2022-05-21 14:40:59.686470575 +0800 2 | +++ b/configure.ac 2022-05-21 14:41:21.406671435 +0800 3 | @@ -488,17 +488,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy 4 | AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes) 5 | AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes") 6 | 7 | -# Check all tools used by make install 8 | -AS_IF([test "$HOSTOS" = "Linux"], 9 | - [ AC_CHECK_PROG(useradd, useradd, yes) 10 | - AC_CHECK_PROG(groupadd, groupadd, yes) 11 | - AC_CHECK_PROG(adduser, adduser, yes) 12 | - AC_CHECK_PROG(addgroup, addgroup, yes) 13 | - AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], 14 | - [AC_MSG_ERROR([addgroup or groupadd are needed.])]) 15 | - AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], 16 | - [AC_MSG_ERROR([adduser or useradd are needed.])])]) 17 | - 18 | AC_SUBST([PATH]) 19 | 20 | dnl --------- Doxy Gen ----------------------- 21 | --------------------------------------------------------------------------------